Grafana Labs has released a series of security patches for various versions of Grafana, addressing both high and medium severity vulnerabilities: CVE-2025-3260, CVE-2025-2703, and CVE-2025-3454. CVE-2025-3260, with a CVSS score of 8.3, allows users with Viewer and Editor roles to bypass dashboard-specific permissions, impacting Grafana 11.6.x and requiring an upgrade to mitigate. CVE-2025-2703, scoring 6.8, involves a DOM XSS vulnerability in Grafana’s XY chart plugin, affecting versions from 11.1.0 and mitigated by upgrading or enabling Trusted Types. CVE-2025-3454, with a CVSS score of 5.0, affects the data source proxy API, allowing unauthorized read access to certain endpoints, impacting versions from 8.0 and requiring an upgrade or a reverse proxy as a solution. Grafana Cloud instances have already been patched, and both Amazon Managed Grafana and Azure Managed Grafana confirmed their security. Users are urged to update to the appropriate patched versions and can find detailed incident timelines and mitigation steps on Grafana’s blog.