PatchSiren cyber security CVE debrief
CVE-2026-8595 Grafana CVE debrief
CVE-2026-8595 is a stored cross-site scripting (XSS) vulnerability in Grafana. A user with Editor permissions can create a dashboard with a TableNG panel containing a malicious field name. When another user views this dashboard, the malicious field name executes as a script in their browser. The vulnerability has a CVSS score of 6.8 and is classified as MEDIUM severity.
- Vendor
- Grafana
- Product
- Grafana OSS
- CVSS
- MEDIUM 6.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-10
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-10
- Advisory updated
- 2026-07-10
Who should care
Users of Grafana, especially those with Editor permissions, should be aware of this vulnerability. Administrators of Grafana instances should prioritize patching to prevent exploitation.
Technical summary
The vulnerability exists in the TableNG panel of Grafana dashboards. An Editor user can craft a dashboard with a malicious field name that is stored and executed as a script when another user views the dashboard. This allows for stored cross-site scripting (XSS) attacks. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L.
Defensive priority
Medium priority should be given to patching this vulnerability, as it requires Editor permissions to exploit but can affect any user viewing the dashboard.
Recommended defensive actions
- Apply the patch provided by Grafana to fix the vulnerability
- Restrict Editor permissions to trusted users
- Monitor dashboard creation and changes for suspicious activity
- Implement additional security measures such as input validation and output encoding
Evidence notes
The CVE record was published on 2026-07-10T16:16:39.400Z and last modified on 2026-07-10T18:01:31.563Z. The NVD entry is currently Awaiting Analysis. The vulnerability was reported by [email protected].
Official resources
-
CVE-2026-8595 CVE record
CVE.org
-
CVE-2026-8595 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T16:16:39.400Z and has not been modified since then. The NVD entry is currently Awaiting Analysis.