Stack traces in Grafana's Explore Traces view can be rendered as raw HTML, and thus inject malicious JavaScript in the browser. This would require malicious JavaScript to be entered into the stack trace field.
Only datasources with the Jaeger HTTP API appear to be affected; Jaeger gRPC and Tempo do not appear affected whatsoever.
Metrics
Affected Vendors & Products
| Vendors | Products |
|---|---|
| Grafana |
|
No data.
No data.
OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.
| Vendors | Products |
|---|---|
| Grafana |
|
References
History
Thu, 12 Feb 2026 11:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Grafana
Grafana grafana Grafana grafana Enterprise |
|
| Vendors & Products |
Grafana
Grafana grafana Grafana grafana Enterprise |
Thu, 12 Feb 2026 09:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Stack traces in Grafana's Explore Traces view can be rendered as raw HTML, and thus inject malicious JavaScript in the browser. This would require malicious JavaScript to be entered into the stack trace field. Only datasources with the Jaeger HTTP API appear to be affected; Jaeger gRPC and Tempo do not appear affected whatsoever. | |
| Title | XSS in Grafana Explore stack trace | |
| References |
| |
| Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: GRAFANA
Published:
Updated: 2026-02-12T08:49:08.545Z
Reserved: 2025-04-16T09:19:26.443Z
Link: CVE-2025-41117
Vulnrichment
No data.
NVD
Status : Received
Published: 2026-02-12T09:16:07.630
Modified: 2026-02-12T09:16:07.630
Link: CVE-2025-41117
Redhat
No data.
OpenCVE Enrichment
Updated: 2026-02-12T11:19:11Z