The geomap panel's XYZ tile layer has a sanitize-then-interpolate ordering bug. sanitizeTextPanelContent() runs on the raw template string before getTemplateSrv().replace() substitutes the variable value, which uses the glob format with no HTML escaping. The result is passed to OpenLayers via element.innerHTML. An Editor can set a textbox variable's default value to an XSS payload that executes for every user who opens the dashboard. This is a bypass of the CVE-2023-0507 fix
Casky was already ahead
This CVE exploits attack patterns that Casky's 0matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
CVE-2026-9029 represents a critical authorization bypass in geospatial visualization panels where attackers with editor-level permissions can inject persistent cross-site scripting (XSS) payloads through template variables. The vulnerability stems from a flaw in the sanitization order: the application sanitizes raw template strings before variable substitution occurs, allowing malicious payloads in variable default values to bypass HTML escaping and execute when the DOM renders via innerHTML. Any user viewing the compromised dashboard becomes a victim, making this a high-impact privilege escalation vector that affects organizations relying on shared dashboard infrastructure. This is particularly dangerous as it bypasses the previous CVE-2023-0507 mitigation, suggesting attackers have actively studied and circumvented prior security controls.
While Casky currently shows zero direct skill matches for this specific CVE, the underlying attack pattern maps to critical MITRE ATT&CK techniques that practitioners would detect through behavioral analysis: T1190 (Exploit Public-Facing Application) for the initial editor access exploitation, T1059 (Command Execution) for payload execution context, and T1566 (Phishing) when malicious dashboards are shared to distribute XSS. A Casky-powered analysis would identify the suspicious pattern of template variable manipulation combined with DOM-based code execution, flagging the unusual ordering of sanitization functions and detecting indicators of stored XSS through code flow analysis. Practitioners using Casky would see findings highlighting improper input validation sequences, unsafe HTML rendering methods, and cross-user execution patterns—enabling them to spot similar sanitize-then-interpolate bugs in other template engines before exploitation occurs.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
Casky has 0 skills that investigate the attack patterns behind CVE-2026-9029. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →© 2026 Casky.AI, Inc. · AI Security Investigation