The built-in XY Chart plugin is vulnerable to a DOM XSS vulnerability. A user with Editor permissions is able to modify such a panel in order to make it execute arbitrary JavaScript.CreditsPaul Gerste (Sonar)Referenceshttps://grafana.com/security/security-advisories/cve-2025-2703https://www.sonarsource.com/blog/data-in-danger-detecting-xss-in-grafana-cve-2025-2703/
