CVE-2025-58746 is a critical cross-site scripting (XSS) vulnerability affecting the VolkovLabs Business Links plugin for Grafana versions prior to 2.4.0. The plugin facilitates navigation through external links, internal dashboards, time pickers, and dropdown menus within Grafana. The vulnerability arises from improper neutralization of input in the [Layout] → [Link] → [URL] field, which allows an attacker with Editor privileges to inject arbitrary JavaScript code. This injected code can be executed in the context of the Grafana web application, enabling the attacker to escalate their privileges from Editor to Administrator. With Administrator privileges, the attacker can perform arbitrary administrative actions, potentially compromising the confidentiality, integrity, and availability of the Grafana instance and its data. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-83 (Improper Neutralization of Script-Related HTML Tags). The CVSS v3.1 score is 9.1 (critical), reflecting the network attack vector, low attack complexity, required privileges at the Editor level, user interaction needed, scope change, and high impact on confidentiality, integrity, and availability. Although no known exploits are currently reported in the wild, the ease of exploitation and high impact make this a significant threat. The issue is resolved in version 2.4.0 of the plugin, which properly sanitizes input in the URL field to prevent JavaScript injection.

For European organizations using Grafana with the VolkovLabs Business Links plugin, this vulnerability poses a severe risk. An attacker with Editor access—often granted to users responsible for creating and modifying dashboards—can escalate privileges to Administrator, gaining full control over the Grafana environment. This can lead to unauthorized access to sensitive monitoring data, manipulation or deletion of dashboards, and potential lateral movement within the network if Grafana is integrated with other systems. The compromise of Grafana can disrupt operational monitoring and alerting, impacting business continuity. Additionally, since Grafana is widely used in sectors such as finance, manufacturing, energy, and public services across Europe, the vulnerability could affect critical infrastructure monitoring and management. The requirement for user interaction (e.g., clicking a crafted link) slightly reduces the risk but does not eliminate it, especially in environments where users may be less security-aware. The vulnerability's ability to change the scope from user-level to administrative-level access significantly increases the potential damage.

European organizations should immediately verify the version of the VolkovLabs Business Links plugin in use and upgrade to version 2.4.0 or later, which contains the fix for this vulnerability. Until the upgrade is applied, organizations should restrict Editor privileges to trusted users only and monitor for unusual activity within Grafana, such as unexpected changes to dashboards or administrative settings. Implement Content Security Policy (CSP) headers to limit the execution of unauthorized scripts within the Grafana web interface. Additionally, organizations should conduct user awareness training to reduce the risk of social engineering attacks that could trigger the vulnerability. Network segmentation and access controls should be enforced to limit exposure of the Grafana instance to only necessary users and systems. Regularly review and audit Grafana logs for signs of exploitation attempts. If upgrading immediately is not feasible, consider disabling or restricting the use of the Business Links plugin temporarily.