Grafana Patches CVE-2025-3260 and More in Critical Security Update - #CVE-2025-3260
Grafana Labs has released critical security updates to address three vulnerabilities in their OSS and Enterprise editions. The most severe, CVE-2025-3260, allows users with minimal permissions to bypass dashboard-level permissions, potentially leading to unauthorized access. Two medium-severity vulnerabilities, CVE-2025-2703 and CVE-2025-3454, involve a DOM-based XSS issue in the XY chart plugin and unauthorized read access to certain data sources, respectively. Patches are available in various security releases, and users are strongly advised to update immediately. For those unable to patch right away, interim mitigations such as blocking specific inbound traffic, enabling Trusted Types, or using a reverse proxy to normalize URLs are recommended. These vulnerabilities highlight the importance of prompt security updates in data visualization and monitoring platforms.