Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-ss32-rtp3-zufc
Summary
Grafana Cross-Site-Scripting (XSS) via custom loaded frontend plugin
A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not require editor permissions and if anonymous access is enabled, the XSS will work. If the Grafana Image Renderer plugin is installed, it is possible to exploit the open redirect to achieve a full read SSRF.

The default Content-Security-Policy (CSP) in Grafana will block the XSS though the `connect-src` directive.
Aliases
0
alias CVE-2025-4123
1
alias GHSA-q53q-gxq9-mgrj
Fixed_packages
Affected_packages
0
url pkg:rpm/redhat/grafana@6.3.6-7?arch=el8_2
purl pkg:rpm/redhat/grafana@6.3.6-7?arch=el8_2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ss32-rtp3-zufc
resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/grafana@6.3.6-7%3Farch=el8_2
1
url pkg:rpm/redhat/grafana@7.3.6-9?arch=el8_4
purl pkg:rpm/redhat/grafana@7.3.6-9?arch=el8_4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ss32-rtp3-zufc
resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/grafana@7.3.6-9%3Farch=el8_4
2
url pkg:rpm/redhat/grafana@7.5.11-6?arch=el8_6
purl pkg:rpm/redhat/grafana@7.5.11-6?arch=el8_6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ss32-rtp3-zufc
resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/grafana@7.5.11-6%3Farch=el8_6
3
url pkg:rpm/redhat/grafana@7.5.11-10?arch=el9_0
purl pkg:rpm/redhat/grafana@7.5.11-10?arch=el9_0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ss32-rtp3-zufc
resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/grafana@7.5.11-10%3Farch=el9_0
4
url pkg:rpm/redhat/grafana@7.5.15-7?arch=el8_8
purl pkg:rpm/redhat/grafana@7.5.15-7?arch=el8_8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-7y8a-8can-nba1
1
vulnerability VCID-ss32-rtp3-zufc
resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/grafana@7.5.15-7%3Farch=el8_8
5
url pkg:rpm/redhat/grafana@9.0.9-8?arch=el9_2
purl pkg:rpm/redhat/grafana@9.0.9-8?arch=el9_2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-7y8a-8can-nba1
1
vulnerability VCID-ss32-rtp3-zufc
resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/grafana@9.0.9-8%3Farch=el9_2
6
url pkg:rpm/redhat/grafana@9.2.10-23?arch=el8_10
purl pkg:rpm/redhat/grafana@9.2.10-23?arch=el8_10
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ss32-rtp3-zufc
resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/grafana@9.2.10-23%3Farch=el8_10
7
url pkg:rpm/redhat/grafana@9.2.10-23?arch=el9_4
purl pkg:rpm/redhat/grafana@9.2.10-23?arch=el9_4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-7y8a-8can-nba1
1
vulnerability VCID-ss32-rtp3-zufc
resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/grafana@9.2.10-23%3Farch=el9_4
8
url pkg:rpm/redhat/grafana@10.2.6-13?arch=el9_6
purl pkg:rpm/redhat/grafana@10.2.6-13?arch=el9_6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ss32-rtp3-zufc
resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/grafana@10.2.6-13%3Farch=el9_6
9
url pkg:rpm/redhat/grafana@10.2.6-17?arch=el10_0
purl pkg:rpm/redhat/grafana@10.2.6-17?arch=el10_0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ss32-rtp3-zufc
resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/grafana@10.2.6-17%3Farch=el10_0
References
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-4123.json
reference_id
reference_type
scores
0
value 7.6
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-4123.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-4123
reference_id
reference_type
scores
0
value 0.02887
scoring_system epss
scoring_elements 0.86273
published_at 2026-04-07T12:55:00Z
1
value 0.02887
scoring_system epss
scoring_elements 0.86301
published_at 2026-04-09T12:55:00Z
2
value 0.02887
scoring_system epss
scoring_elements 0.86291
published_at 2026-04-08T12:55:00Z
3
value 0.0387
scoring_system epss
scoring_elements 0.88242
published_at 2026-04-16T12:55:00Z
4
value 0.0387
scoring_system epss
scoring_elements 0.88228
published_at 2026-04-13T12:55:00Z
5
value 0.0387
scoring_system epss
scoring_elements 0.88236
published_at 2026-04-11T12:55:00Z
6
value 0.0387
scoring_system epss
scoring_elements 0.88265
published_at 2026-04-26T12:55:00Z
7
value 0.0387
scoring_system epss
scoring_elements 0.8826
published_at 2026-04-24T12:55:00Z
8
value 0.0387
scoring_system epss
scoring_elements 0.88241
published_at 2026-04-21T12:55:00Z
9
value 0.06301
scoring_system epss
scoring_elements 0.9091
published_at 2026-04-02T12:55:00Z
10
value 0.08544
scoring_system epss
scoring_elements 0.9237
published_at 2026-04-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-4123
2
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
3
reference_url https://github.com/grafana/grafana
reference_id
reference_type
scores
0
value 7.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/grafana/grafana
4
reference_url https://github.com/grafana/grafana/commit/c7a690348df761d41b659224cbc50a46a0c0e4cc
reference_id
reference_type
scores
0
value 7.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/grafana/grafana/commit/c7a690348df761d41b659224cbc50a46a0c0e4cc
5
reference_url https://grafana.com/blog/2025/05/23/grafana-security-release-medium-and-high-severity-security-fixes-for-cve-2025-4123-and-cve-2025-3580
reference_id
reference_type
scores
0
value 7.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://grafana.com/blog/2025/05/23/grafana-security-release-medium-and-high-severity-security-fixes-for-cve-2025-4123-and-cve-2025-3580
6
reference_url https://grafana.com/security/security-advisories/cve-2025-4123
reference_id
reference_type
scores
0
value 7.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://grafana.com/security/security-advisories/cve-2025-4123
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-4123
reference_id
reference_type
scores
0
value 7.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-4123
8
reference_url https://pkg.go.dev/vuln/GO-2025-3702
reference_id
reference_type
scores
0
value 7.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://pkg.go.dev/vuln/GO-2025-3702
9
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2364632
reference_id 2364632
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2364632
10
reference_url https://grafana.com/security/security-advisories/cve-2025-4123/
reference_id cve-2025-4123
reference_type
scores
0
value 7.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-22T13:21:28Z/
url https://grafana.com/security/security-advisories/cve-2025-4123/
11
reference_url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52491.txt
reference_id CVE-2025-4123
reference_type exploit
scores
url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52491.txt
12
reference_url https://grafana.com/blog/2025/05/23/grafana-security-release-medium-and-high-severity-security-fixes-for-cve-2025-4123-and-cve-2025-3580/
reference_id grafana-security-release-medium-and-high-severity-security-fixes-for-cve-2025-4123-and-cve-2025-3580
reference_type
scores
0
value 7.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-22T13:21:28Z/
url https://grafana.com/blog/2025/05/23/grafana-security-release-medium-and-high-severity-security-fixes-for-cve-2025-4123-and-cve-2025-3580/
13
reference_url https://access.redhat.com/errata/RHSA-2025:7892
reference_id RHSA-2025:7892
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:7892
14
reference_url https://access.redhat.com/errata/RHSA-2025:7893
reference_id RHSA-2025:7893
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:7893
15
reference_url https://access.redhat.com/errata/RHSA-2025:7894
reference_id RHSA-2025:7894
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:7894
16
reference_url https://access.redhat.com/errata/RHSA-2025:8665
reference_id RHSA-2025:8665
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:8665
17
reference_url https://access.redhat.com/errata/RHSA-2025:8679
reference_id RHSA-2025:8679
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:8679
18
reference_url https://access.redhat.com/errata/RHSA-2025:8680
reference_id RHSA-2025:8680
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:8680
19
reference_url https://access.redhat.com/errata/RHSA-2025:8681
reference_id RHSA-2025:8681
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:8681
20
reference_url https://access.redhat.com/errata/RHSA-2025:8683
reference_id RHSA-2025:8683
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:8683
21
reference_url https://access.redhat.com/errata/RHSA-2025:8684
reference_id RHSA-2025:8684
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:8684
22
reference_url https://access.redhat.com/errata/RHSA-2025:8685
reference_id RHSA-2025:8685
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:8685
Weaknesses
0
cwe_id 79
name Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
description The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
1
cwe_id 601
name URL Redirection to Untrusted Site ('Open Redirect')
description A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.
Exploits
0
date_added 2026-04-06
description Grafana 11.6.0 - SSRF
required_action null
due_date null
notes null
known_ransomware_campaign_use false
source_date_published 2026-04-06
exploit_type webapps
platform multiple
source_date_updated 2026-04-06
data_source Exploit-DB
source_url
Severity_range_score7.0 - 8.9
Exploitability2.0
Weighted_severity8.0
Risk_score10.0
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-ss32-rtp3-zufc