Platform
other
Component
business-links
Fixed in
2.4.1
CVE-2025-58746 is a privilege escalation vulnerability discovered in Volkov Labs Business Links, a Grafana panel. This flaw allows users with Editor privileges to escalate to Administrator, enabling them to perform arbitrary administrative actions. The vulnerability impacts versions of Business Links prior to 2.4.0 and has been resolved in version 2.4.0.
The impact of CVE-2025-58746 is significant due to the ease of exploitation and the potential for complete system compromise. An attacker with Editor access can inject malicious JavaScript code through the 'URL' field within the 'Link' settings of the panel. This injected code can then be leveraged to gain Administrator privileges, granting them full control over the Grafana instance and any associated data. This could lead to data breaches, unauthorized modifications to dashboards, and potentially even the complete takeover of the Grafana environment. The ability to execute arbitrary JavaScript elevates the risk beyond simple configuration changes, opening the door to more sophisticated attacks.
CVE-2025-58746 was publicly disclosed on 2025-09-08. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's ease of exploitation suggests a high probability of exploitation. The EPSS score is likely to be assessed as medium to high, given the critical CVSS score and the potential for widespread impact. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.04% (10% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-58746 is to immediately upgrade Volkov Labs Business Links to version 2.4.0 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider restricting user permissions to minimize the potential impact. Specifically, limit the number of users with Editor privileges. While a direct WAF rule is difficult to implement due to the JavaScript injection point, monitoring Grafana logs for unusual JavaScript execution patterns could provide an early warning sign. After upgrading, confirm the fix by attempting to escalate privileges with an Editor account and verifying that the action is blocked.
Update the Volkov Labs Business Links plugin to version 2.4.0 or higher. This version contains a fix for the privilege escalation vulnerability. The update can be performed through the Grafana administration interface.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-58746 is a critical vulnerability in Volkov Labs Business Links for Grafana, allowing users with Editor privileges to escalate to Administrator and perform arbitrary actions via JavaScript injection.
You are affected if you are using Volkov Labs Business Links versions prior to 2.4.0 and have users with Editor privileges.
Upgrade Volkov Labs Business Links to version 2.4.0 or later to remediate the vulnerability. Consider restricting user permissions as a temporary workaround.
While no public exploits are currently known, the vulnerability's ease of exploitation suggests a high probability of exploitation.
Refer to the official Volkov Labs advisory for details and updates: [https://github.com/volkovlabs/business-links/security/advisories/GHSA-xxxx-xxxx-xxxx](Replace with actual advisory URL)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.