{"id":"CVE-2025-11539","summary":"Arbitrary Code Execution in Grafana Image Renderer Plugin","details":"Grafana Image Renderer is vulnerable to remote code execution due to an arbitrary file write vulnerability. This is due to the fact that the /render/csv endpoint lacked validation of the filePath parameter that allowed an attacker to save a shared object to an arbitrary location that is then loaded by the Chromium process.\n\nInstances are vulnerable if:\n\n1. The default token (\"authToken\") is not changed, or is known to the attacker.\n2. The attacker can reach the image renderer endpoint.\nThis issue affects grafana-image-renderer: from 1.0.0 through 4.0.16.","aliases":["BIT-grafana-image-renderer-2025-11539"],"modified":"2026-07-15T01:49:19.943026039Z","published":"2025-10-09T07:18:15.819Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/11xxx/CVE-2025-11539.json","cna_assigner":"GRAFANA","cwe_ids":["CWE-94"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/11xxx/CVE-2025-11539.json"},{"type":"ADVISORY","url":"https://grafana.com/security/security-advisories/cve-2025-11539/"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-11539"},{"type":"FIX","url":"https://github.com/grafana/grafana-image-renderer/releases/tag/v4.0.17"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/grafana/grafana-image-renderer","events":[{"introduced":"64b48a44ea58a97c4795f4987c8285c32810fb85"},{"fixed":"3998b13834d08065b507e48ae3af9aadfa85dee9"},{"fixed":"1858c2c51347b23f43b1d288bc9222f16030e3f9"}],"database_specific":{"source":["DESCRIPTION","REFERENCES"],"extracted_events":[{"introduced":"1.0.0"},{"fixed":"4.0.16"}]}}],"versions":["v4.0.16","v4.0.15","v4.0.14","v4.0.13","v4.0.12","v4.0.11","v4.0.10","v4.0.9","v4.0.8","v4.0.7","v4.0.6","v4.0.5","v4.0.4","v4.0.3","v4.0.2","v4.0.1","v4.0.0","v3.12.9","v3.12.8","v3.12.7","v3.12.5","v3.12.4","v3.12.3","v3.12.2","v3.12.1","v3.12.0","v3.11.6","v3.11.3","v3.11.2","v3.11.1","v3.11.0","v3.10.5","v3.10.4","v3.10.2","v3.10.1","v3.10.0","v3.9.1","v3.9.0","v3.8.4","v3.8.3","v3.8.2","v3.8.1","v3.8.0","v3.7.2","v3.7.1","v3.7.0","v3.6.3","v3.6.2","v3.6.1","v3.5.0","v3.4.2","v3.4.1","v3.4.0","v3.3.0","v3.2.1","v3.2.0","v3.1.0","v3.0.1","v3.0.0","v3.0.0-beta2","v3.0.0-beta1","v2.1.1","v2.1.0","v2.0.1","v2.0.0","v2.0.0-beta1","v1.0.12","v1.0.12-beta1","v1.0.11","v1.0.10","v1.0.9","v1.0.8","v1.0.8-beta2","v1.0.8-beta1","v1.0.7","v1.0.6","v1.0.5","v1.0.4","v1.0.3","v1.0.2","v1.0.1","v1.0.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-11539.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}]}