CVE-2025-58746 is a critical cross-site scripting (XSS) vulnerability identified in the VolkovLabs Business Links plugin for Grafana, affecting versions prior to 2.4.0. This plugin facilitates navigation through external links, internal dashboards, time pickers, and dropdown menus within Grafana. The vulnerability arises from improper neutralization of input during web page generation, specifically in the [Layout] → [Link] → [URL] field, which allows injection of arbitrary JavaScript code. An attacker with Editor privileges can exploit this flaw by injecting malicious scripts into the URL field. This malicious code executes in the context of the victim’s browser, enabling the attacker to escalate privileges from Editor to Administrator. With Administrator rights, the attacker can perform arbitrary administrative actions, potentially compromising the entire Grafana instance. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-83 (Improper Neutralization of Script-Related HTML Tags in a Web Page). The CVSS v3.1 base score is 9.1, indicating a critical severity with network attack vector, low attack complexity, requiring privileges but user interaction, and impacts confidentiality, integrity, and availability with scope change. Although no known exploits are reported in the wild yet, the high severity and ease of exploitation make this a significant threat. Version 2.4.0 of the plugin addresses this issue by properly sanitizing input in the URL field to prevent JavaScript injection.

For European organizations using Grafana with the VolkovLabs Business Links plugin (versions prior to 2.4.0), this vulnerability poses a severe risk. An attacker who gains Editor access—often a lower privilege role—can escalate to Administrator, leading to full control over the Grafana environment. This can result in unauthorized access to sensitive dashboards, manipulation or deletion of monitoring data, disruption of monitoring services, and potential lateral movement within the network. Given Grafana’s widespread use in monitoring critical infrastructure, IT operations, and industrial control systems, exploitation could impact confidentiality, integrity, and availability of operational data. This could lead to operational downtime, data breaches, and loss of trust. The requirement for Editor privileges and user interaction slightly limits the attack surface but does not mitigate the criticality, especially in environments where Editor roles are broadly assigned or where social engineering can be leveraged. The absence of known exploits in the wild suggests organizations have a window to patch before active exploitation occurs, but the critical CVSS score demands immediate attention.

1. Immediate upgrade to VolkovLabs Business Links plugin version 2.4.0 or later to apply the official fix that sanitizes the URL input field. 2. Review and restrict Editor privileges within Grafana to only trusted users, minimizing the number of accounts that could exploit this vulnerability. 3. Implement strict input validation and Content Security Policy (CSP) headers at the web server or reverse proxy level to limit the execution of injected scripts. 4. Monitor Grafana logs for unusual administrative actions or privilege escalations, and enable alerting for suspicious activities. 5. Conduct regular security audits of Grafana plugins and configurations to detect outdated or vulnerable components. 6. Educate users with Editor roles about phishing and social engineering risks to reduce the likelihood of user interaction exploitation. 7. If upgrading immediately is not feasible, consider temporarily disabling the Business Links plugin or restricting access to the affected functionality until patched.