What is the CVSS score of CVE-2024-12556?

CVE-2024-12556 has a CVSS 3.1 base score of 8.7 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N. EPSS exploitation probability: 1.1%.

Which versions of Prototype Pollution are affected by CVE-2024-12556?

CVE-2024-12556 presents significant security risk, a prototype pollution vulnerability rated CVSS 8.7.. A patch is available.

How to fix or mitigate CVE-2024-12556?

Within 7 days: Identify all affected systems and apply vendor patches promptly. Vendor patch is available.

Prototype Pollution CVE-2024-12556

HIGH

Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution) (CWE-1321)

2025-04-08 security@elastic.co

Path Traversal File Upload Elastic Prototype Pollution Kibana

8.7

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 18:35 vuln.today

Patch released

Mar 28, 2026 - 18:35 nvd

Patch available

CVE Published

Apr 08, 2025 - 20:15 nvd

HIGH 8.7

DescriptionNVD

Prototype Pollution in Kibana can lead to code injection via unrestricted file upload combined with path traversal.

AnalysisAI

Prototype Pollution in Kibana can lead to code injection via unrestricted file upload combined with path traversal. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. This Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution) vulnerability could allow attackers to modify object prototypes to inject properties affecting application logic.

Technical ContextAI

This vulnerability is classified as Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution) (CWE-1321), which allows attackers to modify object prototypes to inject properties affecting application logic. Prototype Pollution in Kibana can lead to code injection via unrestricted file upload combined with path traversal. Affected products include: Elastic Kibana.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Freeze prototypes, validate object keys, avoid recursive merging of untrusted data.

More from same product – last 7 days

CVE-2026-46556 MEDIUM This Month

6.5 May 21

Blind Server-Side Request Forgery in FlaskBB's avatar URL handling allows any authenticated user to force the server to

CVE-2026-33464 MEDIUM This Month

6.5 May 28

Denial of service in Kibana allows any authenticated low-privileged user to render the Kibana service unresponsive for a

CVE-2026-33463 MEDIUM This Month

5.3 May 28

Expired access tokens in Kibana remain exploitable due to a logic error in expiration timestamp validation (CWE-672), al

CVE-2026-33462 MEDIUM This Month

4.6 May 28

Dashboard management path traversal in Elastic Kibana allows a low-privileged authenticated attacker to redirect adminis

CVE-2026-42401 MEDIUM This Month

4.1 May 28

Stored HTML injection in Kibana allows a low-privileged authenticated user with write access to an Elasticsearch index t

CVE-2024-12556 vulnerability details – vuln.today

Back