VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-ss32-rtp3-zufc

Essentials
Severities (30)
References (23)
Severity details (18)
Exploits (1)
EPSS
History (1)

Vulnerability ID	VCID-ss32-rtp3-zufc
Aliases	CVE-2025-4123 GHSA-q53q-gxq9-mgrj
Summary	Grafana Cross-Site-Scripting (XSS) via custom loaded frontend plugin A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not require editor permissions and if anonymous access is enabled, the XSS will work. If the Grafana Image Renderer plugin is installed, it is possible to exploit the open redirect to achieve a full read SSRF. The default Content-Security-Policy (CSP) in Grafana will block the XSS though the `connect-src` directive.
Status	Published
Exploitability	2.0
Weighted Severity	8.0
Risk	10.0
Affected and Fixed Packages	Package Details

Weaknesses (2)

CWE-79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-601	URL Redirection to Untrusted Site ('Open Redirect')

System	Score	Found at
cvssv3	7.6	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-4123.json
epss	0.02887	https://api.first.org/data/v1/epss?cve=CVE-2025-4123
epss	0.02887	https://api.first.org/data/v1/epss?cve=CVE-2025-4123
epss	0.02887	https://api.first.org/data/v1/epss?cve=CVE-2025-4123
epss	0.0387	https://api.first.org/data/v1/epss?cve=CVE-2025-4123
epss	0.0387	https://api.first.org/data/v1/epss?cve=CVE-2025-4123
epss	0.0387	https://api.first.org/data/v1/epss?cve=CVE-2025-4123
epss	0.0387	https://api.first.org/data/v1/epss?cve=CVE-2025-4123
epss	0.0387	https://api.first.org/data/v1/epss?cve=CVE-2025-4123
epss	0.0387	https://api.first.org/data/v1/epss?cve=CVE-2025-4123
epss	0.0387	https://api.first.org/data/v1/epss?cve=CVE-2025-4123
epss	0.06301	https://api.first.org/data/v1/epss?cve=CVE-2025-4123
epss	0.08544	https://api.first.org/data/v1/epss?cve=CVE-2025-4123
cvssv3.1	7.6	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1	7.6	https://github.com/grafana/grafana
generic_textual	HIGH	https://github.com/grafana/grafana
cvssv3.1	7.6	https://github.com/grafana/grafana/commit/c7a690348df761d41b659224cbc50a46a0c0e4cc
generic_textual	HIGH	https://github.com/grafana/grafana/commit/c7a690348df761d41b659224cbc50a46a0c0e4cc
cvssv3.1	7.6	https://grafana.com/blog/2025/05/23/grafana-security-release-medium-and-high-severity-security-fixes-for-cve-2025-4123-and-cve-2025-3580
generic_textual	HIGH	https://grafana.com/blog/2025/05/23/grafana-security-release-medium-and-high-severity-security-fixes-for-cve-2025-4123-and-cve-2025-3580
cvssv3.1	7.6	https://grafana.com/blog/2025/05/23/grafana-security-release-medium-and-high-severity-security-fixes-for-cve-2025-4123-and-cve-2025-3580/
ssvc	Track	https://grafana.com/blog/2025/05/23/grafana-security-release-medium-and-high-severity-security-fixes-for-cve-2025-4123-and-cve-2025-3580/
cvssv3.1	7.6	https://grafana.com/security/security-advisories/cve-2025-4123
generic_textual	HIGH	https://grafana.com/security/security-advisories/cve-2025-4123
cvssv3.1	7.6	https://grafana.com/security/security-advisories/cve-2025-4123/
ssvc	Track	https://grafana.com/security/security-advisories/cve-2025-4123/
cvssv3.1	7.6	https://nvd.nist.gov/vuln/detail/CVE-2025-4123
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2025-4123
cvssv3.1	7.6	https://pkg.go.dev/vuln/GO-2025-3702
generic_textual	HIGH	https://pkg.go.dev/vuln/GO-2025-3702

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-4123.json
		https://api.first.org/data/v1/epss?cve=CVE-2025-4123
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
		https://github.com/grafana/grafana
		https://github.com/grafana/grafana/commit/c7a690348df761d41b659224cbc50a46a0c0e4cc
		https://grafana.com/blog/2025/05/23/grafana-security-release-medium-and-high-severity-security-fixes-for-cve-2025-4123-and-cve-2025-3580
		https://grafana.com/security/security-advisories/cve-2025-4123
		https://nvd.nist.gov/vuln/detail/CVE-2025-4123
		https://pkg.go.dev/vuln/GO-2025-3702
2364632		https://bugzilla.redhat.com/show_bug.cgi?id=2364632
cve-2025-4123		https://grafana.com/security/security-advisories/cve-2025-4123/
CVE-2025-4123	Exploit	https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52491.txt
grafana-security-release-medium-and-high-severity-security-fixes-for-cve-2025-4123-and-cve-2025-3580		https://grafana.com/blog/2025/05/23/grafana-security-release-medium-and-high-severity-security-fixes-for-cve-2025-4123-and-cve-2025-3580/
RHSA-2025:7892		https://access.redhat.com/errata/RHSA-2025:7892
RHSA-2025:7893		https://access.redhat.com/errata/RHSA-2025:7893
RHSA-2025:7894		https://access.redhat.com/errata/RHSA-2025:7894
RHSA-2025:8665		https://access.redhat.com/errata/RHSA-2025:8665
RHSA-2025:8679		https://access.redhat.com/errata/RHSA-2025:8679
RHSA-2025:8680		https://access.redhat.com/errata/RHSA-2025:8680
RHSA-2025:8681		https://access.redhat.com/errata/RHSA-2025:8681
RHSA-2025:8683		https://access.redhat.com/errata/RHSA-2025:8683
RHSA-2025:8684		https://access.redhat.com/errata/RHSA-2025:8684
RHSA-2025:8685		https://access.redhat.com/errata/RHSA-2025:8685

Data source	Exploit-DB
Date added	April 6, 2026
Description	Grafana 11.6.0 - SSRF
Ransomware campaign use	Unknown
Source publication date	April 6, 2026
Exploit type	webapps
Platform	multiple
Source update date	April 6, 2026

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-4123.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L Found at https://github.com/grafana/grafana

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L Found at https://github.com/grafana/grafana/commit/c7a690348df761d41b659224cbc50a46a0c0e4cc

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L Found at https://grafana.com/blog/2025/05/23/grafana-security-release-medium-and-high-severity-security-fixes-for-cve-2025-4123-and-cve-2025-3580

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L Found at https://grafana.com/blog/2025/05/23/grafana-security-release-medium-and-high-severity-security-fixes-for-cve-2025-4123-and-cve-2025-3580/

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-22T13:21:28Z/ Found at https://grafana.com/blog/2025/05/23/grafana-security-release-medium-and-high-severity-security-fixes-for-cve-2025-4123-and-cve-2025-3580/

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L Found at https://grafana.com/security/security-advisories/cve-2025-4123

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L Found at https://grafana.com/security/security-advisories/cve-2025-4123/

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-22T13:21:28Z/ Found at https://grafana.com/security/security-advisories/cve-2025-4123/

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L Found at https://nvd.nist.gov/vuln/detail/CVE-2025-4123

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L Found at https://pkg.go.dev/vuln/GO-2025-3702

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.86273
EPSS Score	0.02887
Published At	April 7, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-04-01T12:56:58.495204+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-q53q-gxq9-mgrj/GHSA-q53q-gxq9-mgrj.json	38.0.0