CVE-2025-6023
Grafana is vulnerable to XSS attacks through open redirects and path traversal in github.com/grafana/grafana
7.6
HIGH
CVSS 3.1
EPSS 7.1%
Description
An open redirect vulnerability has been identified in Grafana OSS that can be exploited to achieve XSS attacks. The vulnerability was introduced in Grafana v11.5.0. The open redirect can be chained with path traversal vulnerabilities to achieve XSS. Fixed in versions 12.0.2+security-01, 11.6.3+security-01, 11.5.6+security-01, 11.4.6+security-01 and 11.3.8+security-01
How to fix CVE-2025-6023
To remediate CVE-2025-6023, upgrade the affected package to a fixed version below.
- —upgrade to 11.6.3 or later
- —upgrade to 1.9.2-0.20250521205822-0ba0b99665a9 or later
- —no fix listed
Is CVE-2025-6023 being exploited?
Moderate — EPSS is 7.1%. Track this CVE but it's not at the top of the prioritisation list.
Affected packages (3)
- >= 11.3.0, < 11.6.3, >= 12.0.0, < 12.0.2
- from 0, < 1.9.2-0.20250521205822-0ba0b99665a9
- from 0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.6 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L |