Grafana Labs has released security patches for multiple versions of Grafana, addressing two vulnerabilities: a high-severity cross-site scripting (XSS) issue (CVE-2025-6023) and a medium-severity open redirect issue (CVE-2025-6197). The XSS vulnerability, discovered through a bug bounty program, allows attackers to execute arbitrary JavaScript in users' browsers by exploiting client path traversal and open redirects, posing risks like session hijacking. This vulnerability affects users with Viewer permissions and could impact Grafana Cloud due to certain content security policy configurations. The open redirect vulnerability, also identified through the bug bounty program, can redirect users to malicious sites if they are part of multiple organizations within Grafana, though Grafana Cloud is unaffected. Affected users are encouraged to upgrade their Grafana instances to the patched versions or apply specified mitigations. The patches were coordinated with cloud providers under embargo, ensuring services like Amazon Managed Grafana and Azure Managed Grafana remain secure, and the vulnerabilities were publicly disclosed following a structured timeline with acknowledgments to the discoverers.