What is the CVSS score of CVE-2026-42401?

CVE-2026-42401 has a CVSS 3.1 base score of 4.1 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N.

Kibana CVE-2026-42401

EUVD-2026-33012 MEDIUM

Cross-site Scripting (XSS) (CWE-79)

2026-05-28 elastic

XSS Elastic Kibana

4.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

None

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Generated

May 28, 2026 - 20:24 vuln.today

DescriptionNVD

Improper Neutralization of Input During Web Page Generation (CWE-79) in Kibana can lead to stored HTML injection. A user with write access to an Elasticsearch index could persist crafted markup which, when subsequently rendered through an affected Kibana view by another user, was not sufficiently sanitized. Successful exploitation could result in unauthorized UI manipulation and outbound network requests issued from the viewing user's browser session.

AnalysisAI

Stored HTML injection in Kibana allows a low-privileged authenticated user with write access to an Elasticsearch index to persist crafted markup that is insufficiently sanitized when rendered in an affected Kibana view. When a second user opens the compromised view, their browser processes the unsanitized content, enabling unauthorized manipulation of the Kibana UI and issuing outbound network requests from the victim's browser session. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

More from same product – last 7 days

CVE-2026-42398 HIGH This Week

7.7 May 28

Server-side request forgery in Elastic Kibana allows authenticated users holding connector management privileges to bypa

CVE-2026-33464 MEDIUM This Month

6.5 May 28

Denial of service in Kibana allows any authenticated low-privileged user to render the Kibana service unresponsive for a

CVE-2026-49095 MEDIUM This Month

6.5 May 28

Privilege escalation in Elastic Kibana's Fleet agent policy management feature allows authenticated Fleet administrators

CVE-2026-33463 MEDIUM This Month

5.3 May 28

Expired access tokens in Kibana remain exploitable due to a logic error in expiration timestamp validation (CWE-672), al

CVE-2026-33462 MEDIUM This Month

4.6 May 28

Dashboard management path traversal in Elastic Kibana allows a low-privileged authenticated attacker to redirect adminis

CVE-2026-42401 vulnerability details – vuln.today

Back