VulnerableCode Package Details - pkg:rpm/redhat/grafana@10.2.6-17?arch=el10

Staging Environment: Content and features may be unstable or change without notice.

Search for packages

Package details: pkg:rpm/redhat/grafana@10.2.6-17?arch=el10_0

purl	pkg:rpm/redhat/grafana@10.2.6-17?arch=el10_0

Next non-vulnerable version	None.
Latest non-vulnerable version	None.
Risk	10.0

Vulnerabilities affecting this package (1)

Vulnerability	Summary	Fixed by
VCID-ss32-rtp3-zufc Aliases: CVE-2025-4123 GHSA-q53q-gxq9-mgrj	Grafana Cross-Site-Scripting (XSS) via custom loaded frontend plugin A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not require editor permissions and if anonymous access is enabled, the XSS will work. If the Grafana Image Renderer plugin is installed, it is possible to exploit the open redirect to achieve a full read SSRF. The default Content-Security-Policy (CSP) in Grafana will block the XSS though the `connect-src` directive.	There are no reported fixed by versions.

Vulnerabilities fixed by this package (0)

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T13:40:12.258957+00:00	RedHat Importer	Affected by	VCID-ss32-rtp3-zufc	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-4123.json	38.0.0