PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-8595 Grafana CVE debrief

CVE-2026-8595 is a stored cross-site scripting (XSS) vulnerability in Grafana. A user with Editor permissions can create a dashboard with a TableNG panel containing a malicious field name. When another user views this dashboard, the malicious field name executes as a script in their browser. The vulnerability has a CVSS score of 6.8 and is classified as MEDIUM severity.

Vendor
Grafana
Product
Grafana OSS
CVSS
MEDIUM 6.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-10
Original CVE updated
2026-07-10
Advisory published
2026-07-10
Advisory updated
2026-07-10

Who should care

Users of Grafana, especially those with Editor permissions, should be aware of this vulnerability. Administrators of Grafana instances should prioritize patching to prevent exploitation.

Technical summary

The vulnerability exists in the TableNG panel of Grafana dashboards. An Editor user can craft a dashboard with a malicious field name that is stored and executed as a script when another user views the dashboard. This allows for stored cross-site scripting (XSS) attacks. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L.

Defensive priority

Medium priority should be given to patching this vulnerability, as it requires Editor permissions to exploit but can affect any user viewing the dashboard.

Recommended defensive actions

  • Apply the patch provided by Grafana to fix the vulnerability
  • Restrict Editor permissions to trusted users
  • Monitor dashboard creation and changes for suspicious activity
  • Implement additional security measures such as input validation and output encoding

Evidence notes

The CVE record was published on 2026-07-10T16:16:39.400Z and last modified on 2026-07-10T18:01:31.563Z. The NVD entry is currently Awaiting Analysis. The vulnerability was reported by [email protected].

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T16:16:39.400Z and has not been modified since then. The NVD entry is currently Awaiting Analysis.