Grafana Labs has released security patches for Grafana version 12.0 and other supported versions to address two key vulnerabilities, CVE-2025-4123 and CVE-2025-3580. CVE-2025-4123 is a high-severity cross-site scripting (XSS) vulnerability that could allow attackers to redirect users to malicious websites and execute arbitrary JavaScript, potentially leading to session hijacking or account takeover; it affects Grafana OSS and Enterprise versions from 8 onwards, though Grafana Cloud users are not impacted. The CVE-2025-3580 vulnerability, rated medium severity, arises from user deletion logic flaws, which could let organization admins delete server administrators, making the Grafana instance unmanageable if no other admin accounts exist. Users are advised to upgrade their Grafana instances to the latest patched versions to mitigate these risks, while cloud providers like Amazon Managed Grafana and Azure Managed Grafana have confirmed their services are secure following early notifications and patches. The vulnerabilities were discovered and reported through Grafana's bug bounty program, highlighting the importance of continuous security assessments and prompt patching to protect against potential exploitations.