Grafana has released security patches for all supported versions, including Grafana 12.0.0+security-01, to address a high severity cross-site scripting (XSS) vulnerability identified as CVE-2025-4123. This vulnerability, which allows attackers to redirect users to malicious websites through custom frontend plugins, was disclosed a day earlier than planned due to a public leak. The vulnerability impacts Grafana OSS and Grafana Enterprise from versions as far back as Grafana 8, although Grafana Cloud instances, including Amazon Managed Grafana and Azure Managed Grafana, are not affected. The vulnerability can be exploited without editor permissions if anonymous access is enabled, posing risks such as session hijacking or account takeover. Users are advised to upgrade their Grafana instances or apply a suggested Content Security Policy configuration to mitigate the risk. The vulnerability was initially reported on April 26, 2025, and a fix was developed internally by April 30, with public releases following on May 21. The discovery and disclosure were managed through Grafana's bug bounty program, with acknowledgments given to Alvaro Balada for reporting the issue.