CVE-2026-32117

Name of the Vulnerable Software and Affected Versions grafanacubism-panel versions 0.1.2 and earlier

Description The grafanacubism-panel plugin enables the use of cubism.js within Grafana. The panel’s zoom-link handler directly passes a URL supplied by the dashboard editor to window.location.assign() or window.open() without validating the URL scheme. An attacker possessing dashboard Editor privileges can configure the link to a javascript: URI. Subsequently, when any Viewer performs a drag-zoom action on the panel, the malicious code executes within the Grafana origin. The vulnerable component is the zoom-link handler. The vulnerable functions are window.location.assign() and window.open().

Recommendations Update grafanacubism-panel to a version later than 0.1.2.