The vulnerability, tracked as CVE-2025-2703, existed in Grafana since version 11.1.0 and was fixed in version 11.6.0+security-01 with backporting to all currently supported versions. The vulnerability allows an authenticated attacker with editor permission to execute arbitrary JavaScript in a victim's session when a dashboard is viewed, potentially stealing data from other users or elevating privileges. The issue was reported by SonarQube and confirmed by the Grafana team, who implemented a fix and published their release blog post with information on the vulnerability. The patch prevents such vulnerabilities by converting threshold values to numbers, making it harder for attackers to inject arbitrary JavaScript code. Continuous code scanning is crucial in catching security issues like this one, especially as more code is written by humans and AI.