Grafana is an open-source platform for monitoring and observability. In affected versions if an attacker is able to convince a victim to visit a URL referencing a vulnerable page, arbitrary JavaScript content may be executed within the context of the victim's browser. The user visiting the malicious link must be unauthenticated and the link must be for a page that contains the login button in the menu bar. The url has to be crafted to exploit AngularJS rendering and contain the interpolation binding for AngularJS expressions. AngularJS uses double curly braces for interpolation binding: {{ }} ex: {{constructor.constructor(‘alert(1)’)()}}. When the user follows the link and the page renders, the login button will contain the original link with a query parameter to force a redirect to the login page. The URL is not validated and the AngularJS rendering engine will execute the JavaScript expression contained in the URL. Users are advised to upgrade as soon as possible. If for some reason you cannot upgrade, you can use a reverse proxy or similar to block access to block the literal string {{ in the path.
CVE-2021-41174
Score elevated to 9.0 because EPSS predicts 88% probability of exploitation within the next 30 days (top 0.5% of all CVEs). NVD baseline CVSS 6.9 retained for reference. Confidence: see factors.
- High exploitation likelihood — EPSS 85%
No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.
- CVSS v3
- 6.9
- EG Score
- 9.0(high)
- EPSS
- 99.7%
- KEV
- Not listed
Published
November 3, 2021
Last Modified
November 21, 2024
References (10)
- security-advisories@githubhttps://github.com/grafana/grafana/commit/31b78d51c693d828720a5b285107a50e6024c912
- security-advisories@githubhttps://github.com/grafana/grafana/commit/3cb5214fa45eb5a571fd70d6c6edf0d729983f82
- security-advisories@githubhttps://github.com/grafana/grafana/commit/fb85ed691290d211a5baa44d9a641ab137f0de88
- security-advisories@githubhttps://github.com/grafana/grafana/security/advisories/GHSA-3j9m-hcv9-rpj8
- security-advisories@githubhttps://security.netapp.com/advisory/ntap-20211125-0003/
- af854a3a-2127-422b-91ae-364da2661108https://github.com/grafana/grafana/commit/31b78d51c693d828720a5b285107a50e6024c912
- af854a3a-2127-422b-91ae-364da2661108https://github.com/grafana/grafana/commit/3cb5214fa45eb5a571fd70d6c6edf0d729983f82
- af854a3a-2127-422b-91ae-364da2661108https://github.com/grafana/grafana/commit/fb85ed691290d211a5baa44d9a641ab137f0de88
- af854a3a-2127-422b-91ae-364da2661108https://github.com/grafana/grafana/security/advisories/GHSA-3j9m-hcv9-rpj8
- af854a3a-2127-422b-91ae-364da2661108https://security.netapp.com/advisory/ntap-20211125-0003/
Affected Packages
(1 across 1 ecosystem)
npm(1)
| Package | Vulnerable range | Fixed in | Dependents |
|---|---|---|---|
| @grafana/data | — | 8.2.3 | — |
Weakness Classification(1)
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
Data Freshness Timeline
(refreshed 1× in last 7d / 21× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
- 2026-07-09 19:07 UTCEPSS rescore
- 2026-07-04 06:29 UTCEPSS rescore
- 2026-07-04 06:29 UTCEPSS rescore
- 2026-07-01 15:04 UTCEPSS rescore
- 2026-06-30 08:00 UTCOSV refresh
- 2026-06-25 13:48 UTCEPSS rescore
- 2026-06-25 13:48 UTCEPSS rescore
- 2026-06-23 21:31 UTCEPSS rescore
- 2026-06-23 21:31 UTCEPSS rescore
- 2026-06-18 17:51 UTCEPSS rescore
- 2026-06-18 17:51 UTCEPSS rescore
- 2026-06-17 17:51 UTCEPSS rescore
- 2026-06-17 17:51 UTCEPSS rescore
- 2026-06-17 17:51 UTCEPSS rescore
- 2026-06-15 17:46 UTCEPSS rescore
- 2026-06-14 23:15 UTCEPSS rescore
- 2026-06-14 23:15 UTCEPSS rescore
- 2026-06-13 22:58 UTCEPSS rescore
- 2026-06-13 22:58 UTCEPSS rescore
- 2026-06-12 23:10 UTCEPSS rescore
- 2026-06-12 17:40 UTCOSV refresh
- 2026-06-10 22:16 UTCEPSS rescore
- 2026-06-10 22:16 UTCEPSS rescore
- 2026-06-10 13:20 UTCEPSS rescore
- 2026-06-08 14:15 UTCEPSS rescore
Show 14 moreShow fewer
- 2026-06-08 14:15 UTCEPSS rescore
- 2026-06-07 15:23 UTCEPSS rescore
- 2026-06-07 15:23 UTCEPSS rescore
- 2026-06-05 22:45 UTCEPSS rescore
- 2026-06-04 13:10 UTCEPSS rescore
- 2026-06-04 13:10 UTCEPSS rescore
- 2026-06-02 20:11 UTCEPSS rescore
- 2026-06-02 20:11 UTCEPSS rescore
- 2026-06-01 13:50 UTCEPSS rescore
- 2026-06-01 13:50 UTCEPSS rescore
- 2026-05-27 13:39 UTCEPSS rescore
- 2026-05-27 13:39 UTCEPSS rescore
- 2026-05-26 08:05 UTCEG score recompute
- 2026-05-26 04:16 UTCOSV refresh
Publicly available exploits
(1 reference)Working exploit code is in the public domain. Defenders should treat patch urgency accordingly — public PoCs typically lead to mass-exploitation within 24-72 hours.
- Nucleihttp/cves/2021/CVE-2021-41174.yamlFirst seen Jan 1, 2021
Grafana 8.0.0 <= v.8.2.2 - Angularjs Rendering Cross-Site Scripting
Open source ↗
Related CVEs(same CWE)
Frequently asked(5)
What is CVE-2021-41174?
When was CVE-2021-41174 disclosed?
Is CVE-2021-41174 actively exploited?
What is the CVSS score of CVE-2021-41174?
How do I remediate CVE-2021-41174?
Dependency Blast Radius
See which npm, PyPI, Go, and Maven packages are affected by CVE-2021-41174
Is Your Infrastructure Affected by CVE-2021-41174?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.