{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32117", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-10T22:02:38.855Z", "datePublished": "2026-03-11T21:28:38.122Z", "dateUpdated": "2026-03-12T19:29:56.170Z"}, "containers": {"cna": {"title": "grafanacubism-panel : Stored XSS via javascript: URL in panel zoom link (Editor \u2192 Viewer)", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/ekacnet/grafanacubism-panel/security/advisories/GHSA-q6fh-6m3m-5948", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ekacnet/grafanacubism-panel/security/advisories/GHSA-q6fh-6m3m-5948"}, {"name": "https://github.com/ekacnet/grafanacubism-panel/commit/b79cbf7e5eb3225bb204bcef274e15e6b19d9926", "tags": ["x_refsource_MISC"], "url": "https://github.com/ekacnet/grafanacubism-panel/commit/b79cbf7e5eb3225bb204bcef274e15e6b19d9926"}], "affected": [{"vendor": "ekacnet", "product": "grafanacubism-panel", "versions": [{"version": "<= 0.1.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-11T21:28:38.122Z"}, "descriptions": [{"lang": "en", "value": "The grafanacubism-panel plugin allows use of cubism.js in Grafana. In 0.1.2 and earlier, the panel's zoom-link handler passes a dashboard-editor-supplied URL directly to window.location.assign() / window.open() with no scheme validation. An attacker with dashboard Editor privileges can set the link to a javascript: URI; when any Viewer drag-zooms on the panel, the payload executes in the Grafana origin."}], "source": {"advisory": "GHSA-q6fh-6m3m-5948", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-12T19:29:49.324041Z", "id": "CVE-2026-32117", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T19:29:56.170Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32117", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-12T19:29:49.324041Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T19:29:53.270Z"}}], "cna": {"title": "grafanacubism-panel : Stored XSS via javascript: URL in panel zoom link (Editor \u2192 Viewer)", "source": {"advisory": "GHSA-q6fh-6m3m-5948", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "ekacnet", "product": "grafanacubism-panel", "versions": [{"status": "affected", "version": "<= 0.1.2"}]}], "references": [{"url": "https://github.com/ekacnet/grafanacubism-panel/security/advisories/GHSA-q6fh-6m3m-5948", "name": "https://github.com/ekacnet/grafanacubism-panel/security/advisories/GHSA-q6fh-6m3m-5948", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/ekacnet/grafanacubism-panel/commit/b79cbf7e5eb3225bb204bcef274e15e6b19d9926", "name": "https://github.com/ekacnet/grafanacubism-panel/commit/b79cbf7e5eb3225bb204bcef274e15e6b19d9926", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "The grafanacubism-panel plugin allows use of cubism.js in Grafana. In 0.1.2 and earlier, the panel's zoom-link handler passes a dashboard-editor-supplied URL directly to window.location.assign() / window.open() with no scheme validation. An attacker with dashboard Editor privileges can set the link to a javascript: URI; when any Viewer drag-zooms on the panel, the payload executes in the Grafana origin."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-11T21:28:38.122Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32117", "state": "PUBLISHED", "dateUpdated": "2026-03-12T19:29:56.170Z", "dateReserved": "2026-03-10T22:02:38.855Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-11T21:28:38.122Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ekacnet:grafanacubism-panel:*:*:*:*:*:*:*:*", "matchCriteriaId": "DA871BA8-561A-4EDA-A539-CCD3B9619C83", "versionEndIncluding": "0.1.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The grafanacubism-panel plugin allows use of cubism.js in Grafana. In 0.1.2 and earlier, the panel's zoom-link handler passes a dashboard-editor-supplied URL directly to window.location.assign() / window.open() with no scheme validation. An attacker with dashboard Editor privileges can set the link to a javascript: URI; when any Viewer drag-zooms on the panel, the payload executes in the Grafana origin."}, {"lang": "es", "value": "El plugin grafanacubism-panel permite el uso de cubism.js en Grafana. En la versi\u00f3n 0.1.2 y anteriores, el gestor de enlace de zoom del panel pasa una URL proporcionada por el editor del panel de control directamente a window.location.assign() / window.open() sin validaci\u00f3n de esquema. Un atacante con privilegios de Editor del panel de control puede establecer el enlace a una URI javascript:; cuando cualquier Visor hace zoom arrastrando en el panel, la carga \u00fatil se ejecuta en el origen de Grafana."}], "id": "CVE-2026-32117", "lastModified": "2026-03-17T21:02:11.437", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-11T22:16:32.473", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/ekacnet/grafanacubism-panel/commit/b79cbf7e5eb3225bb204bcef274e15e6b19d9926"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/ekacnet/grafanacubism-panel/security/advisories/GHSA-q6fh-6m3m-5948"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.1.2]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "grafanacubism-panel", "source": "cna", "vendor": "ekacnet"}, "product": "grafanacubism-panel", "vendor": "ekacnet"}], "analysis": {"en": {"generated_at": "2026-03-17T22:23:34.675463+00:00", "value": {"mitigation_remediation": ["Upgrade grafanacubism-panel to a patched version (e.g., 0.1.3 or later) if one is available from the vendor.", "If no patch is available yet, remove or disable the zoom\u2011link handler or constrain dashboard\u2011editor rights to trusted personnel.", "Alternatively, uninstall the grafanacubism\u2011panel plugin until the vendor releases a fix."], "summary": {"action": "Patch Now", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "Affected vendors and products are listed as ekacnet:grafanacubism-panel. The vulnerability applies to all releases of the plugin dated 0.1.2 and earlier, regardless of Grafana major version. Users deploying this 0.1.2\u2011level plugin must assess whether the zoom\u2011link feature is active and whether they assign editor roles to untrusted accounts.", "description_and_impact": "The grafanacubism-panel plugin for Grafana allows an editor to supply a URL that is passed directly to window.location.assign() or window.open() without scheme validation during a panel zoom action, enabling the injection of a javascript: URI that is executed in the Grafana domain when any viewer drags\u2011zooms the panel, resulting in stored cross\u2011site scripting (CWE\u201179). An attacker can run arbitrary JavaScript in the context of the Grafana UI, potentially accessing session cookies, making authenticated API requests or modifying page content.", "risk_and_exploitability": "The CVSS score of 7.6 indicates a high severity. EPSS is below 1%, suggesting low current exploitation probability, and the vulnerability is not catalogued in CISA's Known Exploited Vulnerabilities list. The attack requires an attacker who already has dashboard\u2011editor privileges; the exploit flows from the editor setting a javascript: link to a viewer dragging\u2011zooming the panel. Users with broader view access could eventually suffer impact if an editor misconfigures the plugin."}}}}, "created": "2026-03-12T09:55:47.881402+00:00", "updated": "2026-03-20T15:36:56.770678+00:00", "vendors": ["ekacnet", "ekacnet$PRODUCT$grafanacubism-panel"]}