Vulmon Recent Vulnerabilities Product List Research Posts Trends Blog Docs About Contact
7.6
CVSSv3

CVE-2025-4123

CVSSv4: NA | CVSSv3: 7.6 | CVSSv2: NA | VMScore: 860 | EPSS: 0.01608 | KEV: Not Included
Published: 22/05/2025 Updated: 23/05/2025

Vulnerability Summary

Cross-Site Scripting in Grafana via Client Path Traversal and Open Redirect

A cross-site scripting (XSS) vulnerability exists in Grafana due to a combination of client path traversal and open redirect. This allows attackers to redirect users to a website with a frontend plugin that can execute arbitrary JavaScript. The vulnerability does not require editor permissions and will work if anonymous access is enabled. If the Grafana Image Renderer plugin is installed, attackers can exploit the open redirect to achieve a full read SSRF. However, the default Content-Security-Policy (CSP) in Grafana will block the XSS through the `connect-src` directive.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

grafana grafana

Github Repositories

https://github.com/B1ack4sh/Blackash-CVE-2025-4123

CVE-2025-4123

Blackash-CVE-2025-4123 CVE-2025-4123 CVE ID: "CVE-2025-4123" Severity: High Base Score: 76 HIGH 🔴 Vector: CVSS:31/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L Impact: Server-Side Request Forgery (SSRF), Cross-Site Scripting Affected Versions: Grafana 112, Grafana 113, Grafana 114, Grafana 115, Grafana 116, Grafana 120 Description A cross-site scripting (XSS) vulner

https://github.com/ynsmroztas/CVE-2025-4123-Exploit-Tool-Grafana-

CVE-2025-4123 - Grafana Tool

CVE-2025-4123 - Grafana Path Traversal Exploit Developed by mitsec This is a proof-of-concept (PoC) exploit tool for CVE-2025-4123, a critical path traversal vulnerability in Grafana's /public endpoint The exploit allows for: ✅ Server-Side Request Forgery (SSRF) ✅ Local File Inclusion (LFI) ✅ Open Redirect ✅ Cross-Site Scripting (XSS) 🔥 Affected Grafana ins

https://github.com/kk12-30/CVE-2025-4123

CVE-2025-4123

CVE-2025-4123 CVE-2025-4123

https://github.com/imbas007/CVE-2025-4123-template

CVE-2025-4123-template

Recent Articles

Over 46,000 Grafana instances exposed to account takeover bug
BleepingComputer • Bill Toulas • 15 Jun 2025

Over 46,000 Grafana instances exposed to account takeover bug By Bill Toulas June 15, 2025 10:07 AM 0 More than 46,000 internet-facing Grafana instances remain unpatched and exposed to a client-side open redirect vulnerability that allows executing a malicious plugin and account takeover. The flaw is tracked as CVE-2025-4123 and impacts multiple versions of the open-source platform used for monitoring and visualizing infrastructure and application metrics. The vulnerability was discovered by bug...

Read more...

References

CWE-79CWE-601https://nvd.nist.govhttps://www.bleepingcomputer.com/news/security/over-46-000-grafana-instances-exposed-to-account-takeover-bug/https://github.com/B1ack4sh/Blackash-CVE-2025-4123https://www.first.org/epsshttps://grafana.com/security/security-advisories/cve-2025-4123/
Preferred Score:
CVSSv3
CVSSv2
CVSSv3
CVSSv4
EPSS
VMScore
Recommendations:
injectCVE-2025-51381IDORnvidiaCVE-2025-4123CVE-2025-2783CVE-2025-30678remote attackersCVE-2025-48443kcm3100CVE-2025-6196tarteaucitron.ioadrian ladóearch icon">CVE-2023-33538
Home
/
Search Results
/
CVE-2025-4123
Vulmon Logo Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Product List Vendor List Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook