CVE-2026-22638

Name of the Vulnerable Software and Affected Versions Grafana (affected versions not specified)

Description A cross-site scripting (XSS) issue exists in Grafana due to a combination of client path traversal and open redirect. This allows attackers to redirect users to a website hosting a frontend plugin capable of executing arbitrary JavaScript. The issue does not require editor permissions and is exploitable even with anonymous access enabled. If the Grafana Image Renderer plugin is installed, the open redirect can lead to a full read Server-Side Request Forgery (SSRF). The default Content-Security-Policy (CSP) in Grafana may block the XSS through the connect-src directive.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.