Vulnerability DatabaseCVE-2025-11539

CVE-2025-11539:
Grafana vulnerability analysis and mitigation

Overview

Grafana Image Renderer is vulnerable to remote code execution due to an arbitrary file write vulnerability in versions 1.0.0 through 4.0.16. The vulnerability (CVE-2025-11539) was disclosed on October 9, 2025. The issue stems from the /render/csv endpoint lacking validation of the filePath parameter, which allows attackers to save a shared object to an arbitrary location that is then loaded by the Chromium process (Grafana Advisory).

Technical details

The vulnerability exists in the /render/csv endpoint where insufficient validation of the filePath parameter enables arbitrary file write capabilities. The vulnerability has a CVSS v3.1 Base Score of 9.9 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H. The issue is classified as CWE-94 (Improper Control of Generation of Code) (NVD).

Impact

When successfully exploited, this vulnerability allows attackers to execute arbitrary code through the Chromium process. The vulnerability is particularly severe as it affects all versions of grafana-image-renderer from 1.0.0 through 4.0.16 (Grafana Advisory).

Mitigation and workarounds

Users should upgrade to Grafana Image Renderer version 4.0.17 or later which contains the fix for this vulnerability. The fix includes proper validation of the filePath parameter to prevent arbitrary file writes (GitHub Release).

Additional resources

Source: This report was generated using AI

Related Grafana vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2026-33941	HIGH	8.2	Grafana	handlebars	No	Yes	Mar 27, 2026
CVE-2026-4800	HIGH	8.1	JavaScript	gjs-devel	No	Yes	Mar 31, 2026
CVE-2026-34043	MEDIUM	5.9	JavaScript	aspnetcore-runtime-6.0	No	Yes	Mar 31, 2026
CVE-2026-34165	MEDIUM	5	Packer	crossplane-fips-1.20	No	Yes	Mar 31, 2026
CVE-2026-33762	LOW	2.8	Packer	packer	No	Yes	Mar 31, 2026