The built-in XY Chart plugin is vulnerable to a DOM XSS vulnerability. A user with Editor permissions is able to modify such a panel in order to make it execute arbitrary JavaScript.
https://www.sonarsource.com/blog/data-in-danger-detecting-xss-in-grafana-cve-2025-2703/
https://grafana.com/security/security-advisories/cve-2025-2703