Grafana before 7.1.0-beta 1 allows XSS via a query alias for the ElasticSearch datasource.
{ "cpes": [ "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*" ], "severity": "Medium" }