Skip to main content

Kibana CVE-2026-42401

| EUVDEUVD-2026-33012 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-28 elastic GHSA-7r23-c4px-q9xc
4.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.1 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 28, 2026 - 20:24 vuln.today

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation (CWE-79) in Kibana can lead to stored HTML injection. A user with write access to an Elasticsearch index could persist crafted markup which, when subsequently rendered through an affected Kibana view by another user, was not sufficiently sanitized. Successful exploitation could result in unauthorized UI manipulation and outbound network requests issued from the viewing user's browser session.

AnalysisAI

Stored HTML injection in Kibana allows a low-privileged authenticated user with write access to an Elasticsearch index to persist crafted markup that is insufficiently sanitized when rendered in an affected Kibana view. When a second user opens the compromised view, their browser processes the unsanitized content, enabling unauthorized manipulation of the Kibana UI and issuing outbound network requests from the victim's browser session. No public exploit identified at time of analysis, no CISA KEV listing, and EPSS data was not provided in source intelligence.

Technical ContextAI

This is a stored (persistent) CWE-79 cross-site scripting variant, distinct from reflected XSS in that the malicious payload persists server-side. The attack surface is Kibana's data visualization layer: Kibana reads field values from Elasticsearch indices and renders them in browser-facing views. When Kibana fails to adequately sanitize those field values before inserting them into the DOM, attacker-controlled markup can execute in the viewing user's browser context. The CVSS scope change (S:C) confirms that the vulnerable component (Kibana's rendering layer) impacts a security context beyond the attacker's own - specifically, the victim user's browser session. Affected products per CPE cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:* encompass the full Kibana product line from Elastic across all versions in the wildcard range. CWE-79 at its root reflects a failure to apply output encoding or a content security policy sufficient to neutralize HTML/script injection from untrusted data sources.

RemediationAI

Upgrade Kibana to the fixed versions referenced in Elastic Security Advisory ESA-2026-34, available at https://discuss.elastic.co/t/kibana-8-19-16-9-3-5-security-update-esa-2026-34/386552. Based on the advisory URL pattern, fix versions are 8.19.1 (for the 8.x line) and 6.9.3.5 (for the 6.9.x line); these should be verified against the advisory content directly as they are inferred from URL structure and not independently confirmed from advisory body text. If immediate upgrade is not feasible, a targeted compensating control is to audit and restrict Elasticsearch index write permissions - removing write access from any user account that does not require it directly reduces the attacker's ability to stage the malicious payload. Additionally, deploying a Content Security Policy (CSP) header that restricts script sources and outbound connections can limit the practical impact of any injected markup that does reach the browser. Note that CSP hardening may break legitimate Kibana plugin functionality and should be tested in a non-production environment first.

CVE-2015-1427 CRITICAL POC
9.8 Feb 17

The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the s

CVE-2014-3120 HIGH POC
8.1 Jul 28

The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execut

CVE-2017-12629 CRITICAL POC
9.8 Oct 14

Remote code execution occurs in Apache Solr before 7.1 with Apache Lucene before 7.1 by exploiting XXE in conjunction wi

CVE-2015-5531 MEDIUM POC
5.0 Aug 17

Directory traversal vulnerability in Elasticsearch before 1.6.1 allows remote attackers to read arbitrary files via unsp

CVE-2015-3337 MEDIUM POC
4.3 May 01

Directory traversal vulnerability in Elasticsearch before 1.4.5 and 1.5.x before 1.5.2, when a site plugin is enabled, a

CVE-2019-7609 CRITICAL POC
10.0 Mar 25

Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. Rated criti

CVE-2020-7012 HIGH POC
8.8 Jun 03

Kibana versions 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2 contain a prototype pollution flaw in the Upgrade Assistant. Rated hig

CVE-2018-17246 CRITICAL POC
9.8 Dec 20

Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. Rated critical s

CVE-2022-31115 HIGH POC
8.8 Jun 30

opensearch-ruby is a community-driven, open source fork of elasticsearch-ruby. Rated high severity (CVSS 8.8), this vuln

CVE-2021-32743 HIGH POC
8.8 Jul 15

Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generat

CVE-2023-43116 HIGH POC
7.8 Dec 22

A symbolic link following vulnerability in Buildkite Elastic CI for AWS versions prior to 6.7.1 and 5.22.5 allows the bu

CVE-2021-22146 HIGH POC
7.5 Jul 21

All versions of Elastic Cloud Enterprise has the Elasticsearch “anonymous” user enabled by default in deployed clusters.

Share

CVE-2026-42401 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy