Skip to main content

Kibana

84 CVEs product

Monthly

CVE-2026-49091 HIGH This Week

Log injection in Elastic Kibana (fixed in 7.17.15 and 8.11.1) allows an attacker with low-privilege access to embed unneutralized control characters in input that Kibana writes verbatim to its log files; when an operator later views those logs in a terminal that interprets ANSI/control sequences, the injected payload can forge, hide, or rewrite displayed log content. The issue is tracked as CWE-117 (Improper Output Neutralization for Logs) and carries a vendor CVSS of 8.0. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Code Injection Elastic Kibana
NVD VulDB
CVSS 3.1
8.0
EPSS
0.2%
CVE-2026-56151 MEDIUM This Month

Fleet policy management in Kibana is vulnerable to denial of service through insufficient validation of user-supplied policy inputs. An authenticated Kibana user with Fleet write access can submit a specially crafted Fleet policy input that bypasses server-side validation, rendering Fleet agent management, server operations, and policy configuration unavailable. No public exploit has been identified at time of analysis, and this vulnerability is not listed in CISA KEV; however, the low authentication bar (any valid low-privilege account) and network accessibility make it a meaningful operational risk for organizations relying on Elastic Agent deployments.

Elastic Denial Of Service Kibana
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-49088 MEDIUM This Month

Sensitive HTTP request header values are written into Kibana application logs when the optional APM (Application Performance Monitoring) instrumentation feature is enabled, exposing credentials or tokens to anyone with operator-level log access. This affects multiple Kibana release branches (8.18.x, 8.19.x, 9.0.x, and 9.1.x) and is classified as information disclosure under CWE-532. No public exploit or active exploitation has been identified at time of analysis; the exposure is passive and gated behind both a non-default configuration and existing operator privileges.

Elastic Information Disclosure Kibana
NVD VulDB
CVSS 3.1
4.4
EPSS
0.2%
CVE-2026-49087 MEDIUM This Month

Denial of service in Kibana allows any authenticated user with low-privilege access to exhaust server resources via a specially crafted bulk deletion request, potentially rendering the Kibana interface completely unavailable. Affected are Kibana deployments prior to versions 8.19.15 and 9.3.4 across both the 8.x and 9.x release branches. The vulnerability requires no special configuration to be present and no user interaction beyond submitting the malicious request, making it reliably triggerable by any valid Kibana account holder. No public exploit or CISA KEV listing identified at time of analysis.

Elastic Denial Of Service Kibana
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-26938 HIGH This Week

Kibana versions up to 9.3.0 contains a vulnerability that allows attackers to read arbitrary files from the Kibana server filesystem, and perform Server-Side (CVSS 8.6).

SSRF Code Injection Kibana
NVD
CVSS 3.1
8.6
EPSS
0.1%
CVE-2026-26937 MEDIUM This Month

Kibana's Timelion component is vulnerable to denial of service through uncontrolled resource consumption when processing malicious input data, affecting authenticated users with network access to the application. An attacker with valid credentials can manipulate input to exhaust system resources and render the service unavailable. No patch is currently available for this vulnerability.

Denial Of Service Kibana
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-26936 MEDIUM This Month

Kibana's AI Inference Anonymization Engine contains a ReDoS (Regular Expression Denial of Service) vulnerability that allows authenticated high-privilege users to crash the service through maliciously crafted input. An attacker with administrative credentials can trigger exponential regex backtracking to render the system unavailable, though no patch is currently available.

Denial Of Service AI / ML Kibana
NVD
CVSS 3.1
4.9
EPSS
0.1%
CVE-2026-26935 MEDIUM This Month

Kibana's Content Connectors search endpoint fails to properly validate user input, allowing authenticated attackers to trigger a denial of service condition through crafted request data. This medium-severity vulnerability affects systems where users have login credentials and can be exploited without user interaction.

Denial Of Service Kibana
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-26934 MEDIUM This Month

Kibana contains a vulnerability that allows attackers to an authenticated attacker with view-only privileges to cause a Denial of Service (CVSS 6.5).

Denial Of Service Kibana
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-0543 MEDIUM This Month

Kibana's Email Connector fails to properly validate email address parameters, allowing authenticated users with view-level privileges to trigger excessive resource allocation and crash the service. An attacker can exploit this input validation flaw by submitting a specially crafted email address to cause complete denial of service, requiring manual service restart to restore availability for all users. No patch is currently available.

Code Injection Kibana Red Hat
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-0531 MEDIUM This Month

Kibana Fleet is vulnerable to denial of service through uncontrolled resource allocation when processing specially crafted bulk retrieval requests, allowing authenticated users with viewer-level privileges to exhaust server memory and crash the application. An attacker can trigger redundant database operations that consume resources without limits, rendering the service unavailable to all users. No patch is currently available for this vulnerability.

Denial Of Service Kibana Red Hat
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-0530 MEDIUM This Month

Kibana Fleet fails to limit resource allocation when processing specially crafted requests, allowing authenticated attackers to trigger excessive CPU and memory consumption that degrades or completely disables the service. The vulnerability affects Kibana deployments where users have authentication access, and no patch is currently available to remediate the issue.

Denial Of Service Kibana Red Hat
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-0528 Go MEDIUM PATCH This Month

Denial of Service in Prometheus and Kibana metricsets can be triggered by sending specially crafted malformed payloads to Graphite, Zookeeper, or Prometheus data sources due to improper array index validation and input validation flaws. An unauthenticated attacker on the network can exploit this to crash monitoring services without user interaction. No patch is currently available.

Prometheus Denial Of Service Kibana Suse
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-37734 MEDIUM Monitor

Origin Validation Error in Kibana can lead to Server-Side Request Forgery via a forged Origin HTTP header processed by the Observability AI Assistant. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Elastic SSRF Kibana Red Hat
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-25010 MEDIUM PATCH This Month

Incorrect authorization in Kibana can lead to privilege escalation via the built-in reporting_user role which incorrectly has the ability to access all Kibana Spaces. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

Authentication Bypass Elastic Privilege Escalation Kibana Red Hat
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-25012 MEDIUM PATCH CERT-EU This Month

URL redirection to an untrusted site ('Open Redirect') in Kibana can lead to sending a user to an arbitrary site and server-side request forgery via a specially crafted URL.

SSRF Open Redirect Debian Kibana Red Hat
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2024-43706 HIGH PATCH This Week

CVE-2024-43706 is an improper authorization vulnerability in Kibana's Synthetic monitor endpoint that allows authenticated users to escalate privileges through direct HTTP requests. Attackers with low-level credentials can bypass access controls to perform unauthorized actions on synthetic monitoring functionality, potentially affecting confidentiality, integrity, and availability. While the CVSS 7.6 score indicates significant risk, real-world impact depends on deployment context and whether this vulnerability is actively exploited in the wild.

Elastic Privilege Escalation Authentication Bypass Kibana
NVD
CVSS 3.1
7.6
EPSS
0.1%
CVE-2025-25014 CRITICAL PATCH Act Now

A Prototype pollution vulnerability in Kibana leads to arbitrary code execution via crafted HTTP requests to machine learning and reporting endpoints. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. This Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution) vulnerability could allow attackers to modify object prototypes to inject properties affecting application logic.

Prototype Pollution RCE Elastic Kibana
NVD
CVSS 3.1
9.1
EPSS
2.5%
CVE-2025-25016 MEDIUM PATCH This Month

Unrestricted file upload in Kibana allows an authenticated attacker to compromise software integrity by uploading a crafted malicious file due to insufficient server-side validation. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity.

Elastic File Upload Kibana
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2024-11390 MEDIUM PATCH This Month

Unrestricted upload of a file with dangerous type in Kibana can lead to arbitrary JavaScript execution in a victim’s browser (XSS) via crafted HTML and JavaScript files. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

XSS Elastic File Upload Kibana
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2024-12556 HIGH PATCH This Week

Prototype Pollution in Kibana can lead to code injection via unrestricted file upload combined with path traversal. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. This Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution) vulnerability could allow attackers to modify object prototypes to inject properties affecting application logic.

Prototype Pollution Path Traversal Elastic File Upload Kibana
NVD
CVSS 3.1
8.7
EPSS
1.1%
CVE-2024-52974 MEDIUM PATCH This Month

An issue has been identified where a specially crafted request sent to an Observability API could cause the kibana server to crash. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Elastic Denial Of Service Kibana
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2025-25015 CRITICAL Act Now

Prototype pollution in Kibana leads to arbitrary code execution via a crafted file upload and specifically crafted HTTP requests. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Prototype Pollution RCE Elastic File Upload Kibana
NVD
CVSS 3.1
9.9
EPSS
1.1%
CVE-2024-43708 MEDIUM PATCH This Month

An allocation of resources without limits or throttling in Kibana can lead to a crash caused by a specially crafted payload to a number of inputs in Kibana UI. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

Elastic Denial Of Service Kibana
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2024-52972 MEDIUM PATCH This Month

An allocation of resources without limits or throttling in Kibana can lead to a crash caused by a specially crafted request to /api/metrics/snapshot. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

Elastic Denial Of Service Kibana
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2024-43710 MEDIUM PATCH Monitor

A server side request forgery vulnerability was identified in Kibana where the /api/fleet/health_check API could be used to send requests to internal endpoints. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

Elastic SSRF Kibana
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2024-43707 HIGH PATCH This Month

An issue was identified in Kibana where a user without access to Fleet can view Elastic Agent policies that could contain sensitive information. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Elastic Information Disclosure Kibana
NVD
CVSS 3.1
7.7
EPSS
0.8%
CVE-2024-52973 MEDIUM PATCH This Month

An allocation of resources without limits or throttling in Kibana can lead to a crash caused by a specially crafted request to /api/log_entries/summary. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

Elastic Denial Of Service Kibana
NVD
CVSS 3.1
6.5
EPSS
0.5%
CVE-2024-37285 HIGH PATCH This Week

A deserialization issue in Kibana can lead to arbitrary code execution when Kibana attempts to parse a YAML document containing a crafted payload. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization RCE Elastic Kibana
NVD
CVSS 3.1
7.2
EPSS
1.3%
CVE-2024-37288 HIGH This Week

A deserialization issue in Kibana can lead to arbitrary code execution when Kibana attempts to parse a YAML document containing a crafted payload. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization RCE Elastic Kibana
NVD
CVSS 3.1
8.8
EPSS
1.0%
CVE-2024-37287 HIGH This Week

A flaw allowing arbitrary code execution was discovered in Kibana. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection Elastic RCE Kibana
NVD
CVSS 3.1
7.2
EPSS
1.6%
CVE-2024-37281 MEDIUM PATCH This Month

An issue was discovered in Kibana where a user with Viewer role could cause a Kibana instance to crash by sending a large number of maliciously crafted requests to a specific endpoint. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Elastic Denial Of Service Kibana
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2024-23443 MEDIUM This Month

A high-privileged user, allowed to create custom osquery packs 17 could affect the availability of Kibana by uploading a maliciously crafted osquery pack. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Elastic Denial Of Service Kibana
NVD
CVSS 3.1
4.9
EPSS
1.8%
CVE-2024-23442 MEDIUM This Month

An open redirect issue was discovered in Kibana that could lead to a user being redirected to an arbitrary website if they use a maliciously crafted Kibana URL. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Elastic Open Redirect Kibana
NVD
CVSS 3.1
6.1
EPSS
0.3%
CVE-2024-37279 MEDIUM This Month

A flaw was discovered in Kibana, allowing view-only users of alerting to use the run_soon API making the alerting rule run continuously, potentially affecting the system availability if the alerting. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Elastic Kibana
NVD
CVSS 3.1
4.3
EPSS
0.4%
CVE-2024-23446 MEDIUM This Month

An issue was discovered by Elastic, whereby the Detection Engine Search API does not respect Document-level security (DLS) or Field-level security (FLS) when querying the. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Elastic Kibana
NVD
CVSS 3.1
6.5
EPSS
0.5%
CVE-2023-46675 MEDIUM This Month

An issue was discovered by Elastic whereby sensitive information may be recorded in Kibana logs in the event of an error or in the event where debug level logging is enabled in Kibana. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Elastic Information Disclosure Kibana
NVD
CVSS 3.1
6.5
EPSS
0.6%
CVE-2023-46671 MEDIUM This Month

An issue was discovered by Elastic whereby sensitive information may be recorded in Kibana logs in the event of an error. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Elastic Information Disclosure Kibana
NVD
CVSS 3.1
6.5
EPSS
0.7%
CVE-2023-31422 HIGH This Week

An issue was discovered by Elastic whereby sensitive information is recorded in Kibana logs in the event of an error. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Elastic Information Disclosure Kibana
NVD
CVSS 3.1
7.5
EPSS
0.7%
CVE-2023-31415 HIGH This Week

Kibana version 8.7.0 contains an arbitrary code execution flaw. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection Elastic Kibana
NVD
CVSS 3.1
8.8
EPSS
1.0%
CVE-2023-31414 HIGH This Week

Kibana versions 8.0.0 through 8.7.0 contain an arbitrary code execution flaw. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection Elastic Kibana
NVD
CVSS 3.1
8.8
EPSS
0.6%
CVE-2022-23713 MEDIUM This Month

A cross-site-scripting (XSS) vulnerability was discovered in the Vega Charts Kibana integration which could allow arbitrary JavaScript to be executed in a victim’s browser. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Elastic XSS Kibana
NVD
CVSS 3.1
6.1
EPSS
0.8%
CVE-2022-23711 MEDIUM This Month

A vulnerability in Kibana could expose sensitive information related to Elastic Stack monitoring in the Kibana page source. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Elastic Information Disclosure Kibana
NVD
CVSS 3.1
5.3
EPSS
0.9%
CVE-2022-23710 MEDIUM This Month

A cross-site-scripting (XSS) vulnerability was discovered in the Data Preview Pane (previously known as Index Pattern Preview Pane) which could allow arbitrary JavaScript to be executed in a victim’s. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Kibana
NVD
CVSS 3.1
6.1
EPSS
0.8%
CVE-2022-23709 MEDIUM This Month

A flaw was discovered in Kibana in which users with Read access to the Uptime feature could modify alerting rules. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Elastic Kibana
NVD
CVSS 3.1
4.3
EPSS
0.5%
CVE-2021-37939 npm LOW PATCH Monitor

It was discovered that Kibana’s JIRA connector & IBM Resilient connector could be used to return HTTP response data on internal hosts, which may be intentionally hidden from public view. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Elastic IBM Atlassian Information Disclosure Kibana
NVD
CVSS 3.1
2.7
EPSS
0.4%
CVE-2021-37938 MEDIUM This Month

It was discovered that on Windows operating systems specifically, Kibana was not validating a user supplied path, which would load .pbf files. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Elastic Microsoft Privilege Escalation Kibana
NVD
CVSS 3.1
4.3
EPSS
0.7%
CVE-2021-22139 MEDIUM This Month

Kibana versions before 7.12.1 contain a denial of service vulnerability was found in the webhook actions due to a lack of timeout or a limit on the request size. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Elastic Denial Of Service Kibana
NVD
CVSS 3.1
6.5
EPSS
1.0%
CVE-2021-22136 LOW Monitor

In Kibana versions before 7.12.0 and 6.8.15 a flaw in the session timeout was discovered where the xpack.security.session.idleTimeout setting is not being respected. Rated low severity (CVSS 3.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Elastic Information Disclosure Kibana
NVD
CVSS 3.1
3.5
EPSS
0.3%
CVE-2020-27816 MEDIUM This Month

The elasticsearch-operator does not validate the namespace where kibana logging resource is created and due to that it is possible to replace the original openshift-logging console link (kibana. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Elastic Open Redirect Kibana Openshift Container Platform
NVD
CVSS 3.1
6.1
EPSS
0.6%
CVE-2020-7017 MEDIUM This Month

In Kibana versions before 6.8.11 and 7.8.1 the region map visualization in contains a stored XSS flaw. Rated medium severity (CVSS 6.7), this vulnerability is remotely exploitable. No vendor patch available.

XSS Elastic Kibana Communications Billing And Revenue Management Communications Cloud Native Core Network Function Cloud Native Environment +1
NVD
CVSS 3.1
6.7
EPSS
1.2%
CVE-2020-7016 MEDIUM PATCH This Month

Kibana versions before 6.8.11 and 7.8.1 contain a denial of service (DoS) flaw in Timelion. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable.

Elastic Denial Of Service Kibana Communications Billing And Revenue Management Communications Cloud Native Core Network Function Cloud Native Environment +1
NVD
CVSS 3.1
4.8
EPSS
1.1%
CVE-2020-7015 MEDIUM This Month

Kibana versions before 6.8.9 and 7.7.0 contains a stored XSS flaw in the TSVB visualization. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Elastic Kibana
NVD
CVSS 3.1
5.4
EPSS
0.8%
CVE-2020-7013 HIGH This Week

Kibana versions before 6.8.9 and 7.7.0 contain a prototype pollution flaw in TSVB. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Elastic RCE Code Injection Kibana Openshift Container Platform
NVD
CVSS 3.1
7.2
EPSS
2.1%
CVE-2020-7012 HIGH POC THREAT Act Now

Kibana versions 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2 contain a prototype pollution flaw in the Upgrade Assistant. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Elastic RCE Code Injection Kibana
NVD
CVSS 3.1
8.8
EPSS
18.2%
CVE-2019-7621 MEDIUM This Month

Kibana versions before 6.8.6 and 7.5.1 contain a cross site scripting (XSS) flaw in the coordinate and region map visualizations. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Elastic Kibana
NVD
CVSS 3.1
5.4
EPSS
0.7%
CVE-2019-7618 MEDIUM This Month

A local file disclosure flaw was found in Elastic Code versions 7.3.0, 7.3.1, and 7.3.2. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Elastic RCE Kibana
NVD
CVSS 3.1
6.5
EPSS
1.5%
CVE-2019-7616 MEDIUM This Month

Kibana versions before 6.8.2 and 7.2.1 contain a server side request forgery (SSRF) flaw in the graphite integration for Timelion visualizer. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Elastic SSRF Kibana
NVD
CVSS 3.1
4.9
EPSS
2.1%
CVE-2019-7610 CRITICAL Act Now

Kibana versions before 6.6.1 contain an arbitrary code execution flaw in the security audit logger. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Code Injection Elastic RCE Kibana
NVD
CVSS 3.0
9.0
EPSS
3.9%
CVE-2019-7609 CRITICAL POC KEV THREAT Emergency

Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Elastic RCE Kibana Openshift Container Platform
NVD
CVSS 3.1
10.0
EPSS
95.3%
CVE-2019-7608 MEDIUM This Month

Kibana versions before 5.6.15 and 6.6.1 had a cross-site scripting (XSS) vulnerability that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Elastic Kibana
NVD
CVSS 3.0
6.1
EPSS
1.3%
CVE-2018-17246 CRITICAL POC THREAT Act Now

Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Elastic RCE Kibana Openshift Container Platform
NVD
CVSS 3.0
9.8
EPSS
82.3%
CVE-2018-17245 CRITICAL Act Now

Kibana versions 4.0 to 4.6, 5.0 to 5.6.12, and 6.0 to 6.4.2 contain an error in the way authorization credentials are used when generating PDF reports. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Elastic Information Disclosure Kibana
NVD
CVSS 3.0
9.8
EPSS
1.3%
CVE-2018-3830 MEDIUM This Month

Kibana versions 5.3.0 to 6.4.1 had a cross-site scripting (XSS) vulnerability via the source field formatter that could allow an attacker to obtain sensitive information from or perform destructive. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Elastic XSS Kibana Openshift Container Platform
NVD
CVSS 3.1
6.1
EPSS
1.9%
CVE-2018-3821 MEDIUM This Month

Kibana versions after 5.1.1 and before 5.6.7 and 6.1.3 had a cross-site scripting (XSS) vulnerability in the tag cloud visualization that could allow an attacker to obtain sensitive information from. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Elastic XSS Kibana
NVD
CVSS 3.1
6.1
EPSS
0.7%
CVE-2018-3820 MEDIUM This Month

Kibana versions after 6.1.0 and before 6.1.3 had a cross-site scripting (XSS) vulnerability in labs visualizations that could allow an attacker to obtain sensitive information from or perform. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Elastic XSS Kibana
NVD
CVSS 3.1
6.1
EPSS
0.7%
CVE-2018-3819 MEDIUM This Month

The fix in Kibana for ESA-2017-23 was incomplete. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Elastic Open Redirect Kibana
NVD
CVSS 3.0
6.1
EPSS
0.9%
CVE-2018-3818 MEDIUM This Month

Kibana versions 5.1.1 to 6.1.2 and 5.6.6 had a cross-site scripting (XSS) vulnerability via the colored fields formatter that could allow an attacker to obtain sensitive information from or perform. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Elastic XSS Kibana
NVD
CVSS 3.0
6.1
EPSS
0.9%
CVE-2017-11482 MEDIUM This Month

The Kibana fix for CVE-2017-8451 was found to be incomplete. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Open Redirect Elastic Kibana
NVD
CVSS 3.0
6.1
EPSS
0.2%
CVE-2017-11481 MEDIUM This Month

Kibana versions prior to 6.0.1 and 5.6.5 had a cross-site scripting (XSS) vulnerability via URL fields that could allow an attacker to obtain sensitive information from or perform destructive actions. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Elastic Kibana
NVD
CVSS 3.0
6.1
EPSS
0.3%
CVE-2017-11479 MEDIUM This Month

Kibana versions prior to 5.6.1 had a cross-site scripting (XSS) vulnerability in Timelion that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Elastic Kibana
NVD
CVSS 3.0
6.1
EPSS
0.3%
CVE-2017-8443 MEDIUM This Month

In Kibana X-Pack security versions prior to 5.4.3 if a Kibana user opens a crafted Kibana URL the result could be a redirect to an improperly initialized Kibana login screen. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Elastic Information Disclosure Kibana
NVD
CVSS 3.0
6.5
EPSS
0.4%
CVE-2017-8452 HIGH This Week

Kibana versions prior to 5.2.1 configured for SSL client access, file descriptors will fail to be cleaned up after certain requests and will accumulate over time until the process crashes. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Elastic Kibana
NVD
CVSS 3.0
7.5
EPSS
0.4%
CVE-2017-8451 MEDIUM This Month

With X-Pack installed, Kibana versions before 5.3.1 have an open redirect vulnerability on the login page that would enable an attacker to craft a link that redirects to an arbitrary website. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Open Redirect Elastic Kibana
NVD
CVSS 3.0
6.1
EPSS
0.2%
CVE-2016-10366 MEDIUM This Month

Kibana versions after and including 4.3 and before 4.6.2 are vulnerable to a cross-site scripting (XSS) attack. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Elastic Kibana
NVD
CVSS 3.0
6.1
EPSS
0.3%
CVE-2016-10365 MEDIUM This Month

Kibana versions before 4.6.3 and 5.0.1 have an open redirect vulnerability that would enable an attacker to craft a link in the Kibana domain that redirects to an arbitrary website. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Open Redirect Elastic Kibana
NVD
CVSS 3.0
6.1
EPSS
0.2%
CVE-2016-10364 MEDIUM This Month

With X-Pack installed, Kibana versions 5.0.0 and 5.0.1 were not properly authenticating requests to advanced settings and the short URL service, any authenticated user could make requests to those. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Elastic Kibana
NVD
CVSS 3.0
6.5
EPSS
0.2%
CVE-2016-1000220 MEDIUM This Month

Kibana before 4.5.4 and 4.1.11 are vulnerable to an XSS attack that would allow an attacker to execute arbitrary JavaScript in users' browsers. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Elastic Kibana
NVD
CVSS 3.0
6.1
EPSS
0.3%
CVE-2016-1000219 HIGH This Week

Kibana before 4.5.4 and 4.1.11 when a custom output is configured for logging in, cookies and authorization headers could be written to the log files. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Elastic Kibana
NVD
CVSS 3.0
7.5
EPSS
0.7%
CVE-2015-9056 MEDIUM This Month

Kibana versions prior to 4.1.3 and 4.2.1 are vulnerable to a XSS attack. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Elastic Kibana
NVD
CVSS 3.0
6.1
EPSS
0.3%
CVE-2017-8440 MEDIUM This Month

Starting in version 5.3.0, Kibana had a cross-site scripting (XSS) vulnerability in the Discover page that could allow an attacker to obtain sensitive information from or perform destructive actions. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Elastic Kibana
NVD
CVSS 3.0
6.1
EPSS
0.3%
CVE-2017-8439 MEDIUM This Month

Kibana version 5.4.0 was affected by a Cross Site Scripting (XSS) bug in the Time Series Visual Builder. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Elastic Kibana
NVD
CVSS 3.0
6.1
EPSS
0.3%
CVE-2015-8131 MEDIUM This Month

Cross-site request forgery (CSRF) vulnerability in Elasticsearch Kibana before 4.1.3 and 4.2.x before 4.2.1 allows remote attackers to hijack the authentication of unspecified victims via unknown. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.

Elastic CSRF Kibana
NVD
CVSS 2.0
6.8
EPSS
0.2%
CVE-2015-4093 MEDIUM This Month

Cross-site scripting (XSS) vulnerability in Elasticsearch Kibana 4.x before 4.0.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

XSS Elastic Kibana
NVD
CVSS 2.0
4.3
EPSS
0.2%
EPSS 0% CVSS 8.0
HIGH This Week

Log injection in Elastic Kibana (fixed in 7.17.15 and 8.11.1) allows an attacker with low-privilege access to embed unneutralized control characters in input that Kibana writes verbatim to its log files; when an operator later views those logs in a terminal that interprets ANSI/control sequences, the injected payload can forge, hide, or rewrite displayed log content. The issue is tracked as CWE-117 (Improper Output Neutralization for Logs) and carries a vendor CVSS of 8.0. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Code Injection Elastic Kibana
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Fleet policy management in Kibana is vulnerable to denial of service through insufficient validation of user-supplied policy inputs. An authenticated Kibana user with Fleet write access can submit a specially crafted Fleet policy input that bypasses server-side validation, rendering Fleet agent management, server operations, and policy configuration unavailable. No public exploit has been identified at time of analysis, and this vulnerability is not listed in CISA KEV; however, the low authentication bar (any valid low-privilege account) and network accessibility make it a meaningful operational risk for organizations relying on Elastic Agent deployments.

Elastic Denial Of Service Kibana
NVD VulDB
EPSS 0% CVSS 4.4
MEDIUM This Month

Sensitive HTTP request header values are written into Kibana application logs when the optional APM (Application Performance Monitoring) instrumentation feature is enabled, exposing credentials or tokens to anyone with operator-level log access. This affects multiple Kibana release branches (8.18.x, 8.19.x, 9.0.x, and 9.1.x) and is classified as information disclosure under CWE-532. No public exploit or active exploitation has been identified at time of analysis; the exposure is passive and gated behind both a non-default configuration and existing operator privileges.

Elastic Information Disclosure Kibana
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Denial of service in Kibana allows any authenticated user with low-privilege access to exhaust server resources via a specially crafted bulk deletion request, potentially rendering the Kibana interface completely unavailable. Affected are Kibana deployments prior to versions 8.19.15 and 9.3.4 across both the 8.x and 9.x release branches. The vulnerability requires no special configuration to be present and no user interaction beyond submitting the malicious request, making it reliably triggerable by any valid Kibana account holder. No public exploit or CISA KEV listing identified at time of analysis.

Elastic Denial Of Service Kibana
NVD VulDB
EPSS 0% CVSS 8.6
HIGH This Week

Kibana versions up to 9.3.0 contains a vulnerability that allows attackers to read arbitrary files from the Kibana server filesystem, and perform Server-Side (CVSS 8.6).

SSRF Code Injection Kibana
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Kibana's Timelion component is vulnerable to denial of service through uncontrolled resource consumption when processing malicious input data, affecting authenticated users with network access to the application. An attacker with valid credentials can manipulate input to exhaust system resources and render the service unavailable. No patch is currently available for this vulnerability.

Denial Of Service Kibana
NVD
EPSS 0% CVSS 4.9
MEDIUM This Month

Kibana's AI Inference Anonymization Engine contains a ReDoS (Regular Expression Denial of Service) vulnerability that allows authenticated high-privilege users to crash the service through maliciously crafted input. An attacker with administrative credentials can trigger exponential regex backtracking to render the system unavailable, though no patch is currently available.

Denial Of Service AI / ML Kibana
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Kibana's Content Connectors search endpoint fails to properly validate user input, allowing authenticated attackers to trigger a denial of service condition through crafted request data. This medium-severity vulnerability affects systems where users have login credentials and can be exploited without user interaction.

Denial Of Service Kibana
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Kibana contains a vulnerability that allows attackers to an authenticated attacker with view-only privileges to cause a Denial of Service (CVSS 6.5).

Denial Of Service Kibana
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Kibana's Email Connector fails to properly validate email address parameters, allowing authenticated users with view-level privileges to trigger excessive resource allocation and crash the service. An attacker can exploit this input validation flaw by submitting a specially crafted email address to cause complete denial of service, requiring manual service restart to restore availability for all users. No patch is currently available.

Code Injection Kibana Red Hat
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Kibana Fleet is vulnerable to denial of service through uncontrolled resource allocation when processing specially crafted bulk retrieval requests, allowing authenticated users with viewer-level privileges to exhaust server memory and crash the application. An attacker can trigger redundant database operations that consume resources without limits, rendering the service unavailable to all users. No patch is currently available for this vulnerability.

Denial Of Service Kibana Red Hat
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Kibana Fleet fails to limit resource allocation when processing specially crafted requests, allowing authenticated attackers to trigger excessive CPU and memory consumption that degrades or completely disables the service. The vulnerability affects Kibana deployments where users have authentication access, and no patch is currently available to remediate the issue.

Denial Of Service Kibana Red Hat
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Denial of Service in Prometheus and Kibana metricsets can be triggered by sending specially crafted malformed payloads to Graphite, Zookeeper, or Prometheus data sources due to improper array index validation and input validation flaws. An unauthenticated attacker on the network can exploit this to crash monitoring services without user interaction. No patch is currently available.

Prometheus Denial Of Service Kibana +1
NVD
EPSS 0% CVSS 4.3
MEDIUM Monitor

Origin Validation Error in Kibana can lead to Server-Side Request Forgery via a forged Origin HTTP header processed by the Observability AI Assistant. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Elastic SSRF Kibana +1
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Incorrect authorization in Kibana can lead to privilege escalation via the built-in reporting_user role which incorrectly has the ability to access all Kibana Spaces. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

Authentication Bypass Elastic Privilege Escalation +2
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

URL redirection to an untrusted site ('Open Redirect') in Kibana can lead to sending a user to an arbitrary site and server-side request forgery via a specially crafted URL.

SSRF Open Redirect Debian +2
NVD
EPSS 0% CVSS 7.6
HIGH PATCH This Week

CVE-2024-43706 is an improper authorization vulnerability in Kibana's Synthetic monitor endpoint that allows authenticated users to escalate privileges through direct HTTP requests. Attackers with low-level credentials can bypass access controls to perform unauthorized actions on synthetic monitoring functionality, potentially affecting confidentiality, integrity, and availability. While the CVSS 7.6 score indicates significant risk, real-world impact depends on deployment context and whether this vulnerability is actively exploited in the wild.

Elastic Privilege Escalation Authentication Bypass +1
NVD
EPSS 3% CVSS 9.1
CRITICAL PATCH Act Now

A Prototype pollution vulnerability in Kibana leads to arbitrary code execution via crafted HTTP requests to machine learning and reporting endpoints. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. This Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution) vulnerability could allow attackers to modify object prototypes to inject properties affecting application logic.

Prototype Pollution RCE Elastic +1
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Unrestricted file upload in Kibana allows an authenticated attacker to compromise software integrity by uploading a crafted malicious file due to insufficient server-side validation. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity.

Elastic File Upload Kibana
NVD
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Unrestricted upload of a file with dangerous type in Kibana can lead to arbitrary JavaScript execution in a victim’s browser (XSS) via crafted HTML and JavaScript files. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

XSS Elastic File Upload +1
NVD
EPSS 1% CVSS 8.7
HIGH PATCH This Week

Prototype Pollution in Kibana can lead to code injection via unrestricted file upload combined with path traversal. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. This Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution) vulnerability could allow attackers to modify object prototypes to inject properties affecting application logic.

Prototype Pollution Path Traversal Elastic +2
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

An issue has been identified where a specially crafted request sent to an Observability API could cause the kibana server to crash. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Elastic Denial Of Service Kibana
NVD
EPSS 1% CVSS 9.9
CRITICAL Act Now

Prototype pollution in Kibana leads to arbitrary code execution via a crafted file upload and specifically crafted HTTP requests. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Prototype Pollution RCE Elastic +2
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

An allocation of resources without limits or throttling in Kibana can lead to a crash caused by a specially crafted payload to a number of inputs in Kibana UI. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

Elastic Denial Of Service Kibana
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

An allocation of resources without limits or throttling in Kibana can lead to a crash caused by a specially crafted request to /api/metrics/snapshot. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

Elastic Denial Of Service Kibana
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH Monitor

A server side request forgery vulnerability was identified in Kibana where the /api/fleet/health_check API could be used to send requests to internal endpoints. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

Elastic SSRF Kibana
NVD
EPSS 1% CVSS 7.7
HIGH PATCH This Month

An issue was identified in Kibana where a user without access to Fleet can view Elastic Agent policies that could contain sensitive information. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Elastic Information Disclosure Kibana
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

An allocation of resources without limits or throttling in Kibana can lead to a crash caused by a specially crafted request to /api/log_entries/summary. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

Elastic Denial Of Service Kibana
NVD
EPSS 1% CVSS 7.2
HIGH PATCH This Week

A deserialization issue in Kibana can lead to arbitrary code execution when Kibana attempts to parse a YAML document containing a crafted payload. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization RCE Elastic +1
NVD
EPSS 1% CVSS 8.8
HIGH This Week

A deserialization issue in Kibana can lead to arbitrary code execution when Kibana attempts to parse a YAML document containing a crafted payload. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization RCE Elastic +1
NVD
EPSS 2% CVSS 7.2
HIGH This Week

A flaw allowing arbitrary code execution was discovered in Kibana. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection Elastic RCE +1
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

An issue was discovered in Kibana where a user with Viewer role could cause a Kibana instance to crash by sending a large number of maliciously crafted requests to a specific endpoint. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Elastic Denial Of Service Kibana
NVD
EPSS 2% CVSS 4.9
MEDIUM This Month

A high-privileged user, allowed to create custom osquery packs 17 could affect the availability of Kibana by uploading a maliciously crafted osquery pack. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Elastic Denial Of Service Kibana
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

An open redirect issue was discovered in Kibana that could lead to a user being redirected to an arbitrary website if they use a maliciously crafted Kibana URL. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Elastic Open Redirect Kibana
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

A flaw was discovered in Kibana, allowing view-only users of alerting to use the run_soon API making the alerting rule run continuously, potentially affecting the system availability if the alerting. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Elastic Kibana
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

An issue was discovered by Elastic, whereby the Detection Engine Search API does not respect Document-level security (DLS) or Field-level security (FLS) when querying the. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Elastic Kibana
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

An issue was discovered by Elastic whereby sensitive information may be recorded in Kibana logs in the event of an error or in the event where debug level logging is enabled in Kibana. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Elastic Information Disclosure Kibana
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

An issue was discovered by Elastic whereby sensitive information may be recorded in Kibana logs in the event of an error. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Elastic Information Disclosure Kibana
NVD
EPSS 1% CVSS 7.5
HIGH This Week

An issue was discovered by Elastic whereby sensitive information is recorded in Kibana logs in the event of an error. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Elastic Information Disclosure Kibana
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Kibana version 8.7.0 contains an arbitrary code execution flaw. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection Elastic +1
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Kibana versions 8.0.0 through 8.7.0 contain an arbitrary code execution flaw. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection Elastic +1
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

A cross-site-scripting (XSS) vulnerability was discovered in the Vega Charts Kibana integration which could allow arbitrary JavaScript to be executed in a victim’s browser. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Elastic XSS Kibana
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

A vulnerability in Kibana could expose sensitive information related to Elastic Stack monitoring in the Kibana page source. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Elastic Information Disclosure Kibana
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

A cross-site-scripting (XSS) vulnerability was discovered in the Data Preview Pane (previously known as Index Pattern Preview Pane) which could allow arbitrary JavaScript to be executed in a victim’s. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Kibana
NVD
EPSS 1% CVSS 4.3
MEDIUM This Month

A flaw was discovered in Kibana in which users with Read access to the Uptime feature could modify alerting rules. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Elastic Kibana
NVD
EPSS 0% CVSS 2.7
LOW PATCH Monitor

It was discovered that Kibana’s JIRA connector & IBM Resilient connector could be used to return HTTP response data on internal hosts, which may be intentionally hidden from public view. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Elastic IBM Atlassian +2
NVD
EPSS 1% CVSS 4.3
MEDIUM This Month

It was discovered that on Windows operating systems specifically, Kibana was not validating a user supplied path, which would load .pbf files. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Elastic Microsoft Privilege Escalation +1
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

Kibana versions before 7.12.1 contain a denial of service vulnerability was found in the webhook actions due to a lack of timeout or a limit on the request size. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Elastic Denial Of Service Kibana
NVD
EPSS 0% CVSS 3.5
LOW Monitor

In Kibana versions before 7.12.0 and 6.8.15 a flaw in the session timeout was discovered where the xpack.security.session.idleTimeout setting is not being respected. Rated low severity (CVSS 3.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Elastic Information Disclosure Kibana
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

The elasticsearch-operator does not validate the namespace where kibana logging resource is created and due to that it is possible to replace the original openshift-logging console link (kibana. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Elastic Open Redirect Kibana +1
NVD
EPSS 1% CVSS 6.7
MEDIUM This Month

In Kibana versions before 6.8.11 and 7.8.1 the region map visualization in contains a stored XSS flaw. Rated medium severity (CVSS 6.7), this vulnerability is remotely exploitable. No vendor patch available.

XSS Elastic Kibana +3
NVD
EPSS 1% CVSS 4.8
MEDIUM PATCH This Month

Kibana versions before 6.8.11 and 7.8.1 contain a denial of service (DoS) flaw in Timelion. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable.

Elastic Denial Of Service Kibana +3
NVD
EPSS 1% CVSS 5.4
MEDIUM This Month

Kibana versions before 6.8.9 and 7.7.0 contains a stored XSS flaw in the TSVB visualization. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Elastic Kibana
NVD
EPSS 2% CVSS 7.2
HIGH This Week

Kibana versions before 6.8.9 and 7.7.0 contain a prototype pollution flaw in TSVB. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Elastic RCE Code Injection +2
NVD
EPSS 18% CVSS 8.8
HIGH POC THREAT Act Now

Kibana versions 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2 contain a prototype pollution flaw in the Upgrade Assistant. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Elastic RCE Code Injection +1
NVD
EPSS 1% CVSS 5.4
MEDIUM This Month

Kibana versions before 6.8.6 and 7.5.1 contain a cross site scripting (XSS) flaw in the coordinate and region map visualizations. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Elastic Kibana
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

A local file disclosure flaw was found in Elastic Code versions 7.3.0, 7.3.1, and 7.3.2. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Elastic RCE Kibana
NVD
EPSS 2% CVSS 4.9
MEDIUM This Month

Kibana versions before 6.8.2 and 7.2.1 contain a server side request forgery (SSRF) flaw in the graphite integration for Timelion visualizer. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Elastic SSRF Kibana
NVD
EPSS 4% CVSS 9.0
CRITICAL Act Now

Kibana versions before 6.6.1 contain an arbitrary code execution flaw in the security audit logger. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Code Injection Elastic RCE +1
NVD
EPSS 95% CVSS 10.0
CRITICAL POC KEV THREAT Emergency

Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Elastic RCE +2
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

Kibana versions before 5.6.15 and 6.6.1 had a cross-site scripting (XSS) vulnerability that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Elastic Kibana
NVD
EPSS 82% CVSS 9.8
CRITICAL POC THREAT Act Now

Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Elastic RCE Kibana +1
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Kibana versions 4.0 to 4.6, 5.0 to 5.6.12, and 6.0 to 6.4.2 contain an error in the way authorization credentials are used when generating PDF reports. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Elastic Information Disclosure Kibana
NVD
EPSS 2% CVSS 6.1
MEDIUM This Month

Kibana versions 5.3.0 to 6.4.1 had a cross-site scripting (XSS) vulnerability via the source field formatter that could allow an attacker to obtain sensitive information from or perform destructive. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Elastic XSS Kibana +1
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

Kibana versions after 5.1.1 and before 5.6.7 and 6.1.3 had a cross-site scripting (XSS) vulnerability in the tag cloud visualization that could allow an attacker to obtain sensitive information from. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Elastic XSS Kibana
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

Kibana versions after 6.1.0 and before 6.1.3 had a cross-site scripting (XSS) vulnerability in labs visualizations that could allow an attacker to obtain sensitive information from or perform. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Elastic XSS Kibana
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

The fix in Kibana for ESA-2017-23 was incomplete. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Elastic Open Redirect Kibana
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

Kibana versions 5.1.1 to 6.1.2 and 5.6.6 had a cross-site scripting (XSS) vulnerability via the colored fields formatter that could allow an attacker to obtain sensitive information from or perform. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Elastic XSS Kibana
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

The Kibana fix for CVE-2017-8451 was found to be incomplete. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Open Redirect Elastic Kibana
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Kibana versions prior to 6.0.1 and 5.6.5 had a cross-site scripting (XSS) vulnerability via URL fields that could allow an attacker to obtain sensitive information from or perform destructive actions. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Elastic Kibana
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Kibana versions prior to 5.6.1 had a cross-site scripting (XSS) vulnerability in Timelion that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Elastic Kibana
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

In Kibana X-Pack security versions prior to 5.4.3 if a Kibana user opens a crafted Kibana URL the result could be a redirect to an improperly initialized Kibana login screen. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Elastic Information Disclosure Kibana
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Kibana versions prior to 5.2.1 configured for SSL client access, file descriptors will fail to be cleaned up after certain requests and will accumulate over time until the process crashes. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Elastic Kibana
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

With X-Pack installed, Kibana versions before 5.3.1 have an open redirect vulnerability on the login page that would enable an attacker to craft a link that redirects to an arbitrary website. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Open Redirect Elastic Kibana
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Kibana versions after and including 4.3 and before 4.6.2 are vulnerable to a cross-site scripting (XSS) attack. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Elastic Kibana
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Kibana versions before 4.6.3 and 5.0.1 have an open redirect vulnerability that would enable an attacker to craft a link in the Kibana domain that redirects to an arbitrary website. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Open Redirect Elastic Kibana
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

With X-Pack installed, Kibana versions 5.0.0 and 5.0.1 were not properly authenticating requests to advanced settings and the short URL service, any authenticated user could make requests to those. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Elastic Kibana
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Kibana before 4.5.4 and 4.1.11 are vulnerable to an XSS attack that would allow an attacker to execute arbitrary JavaScript in users' browsers. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Elastic Kibana
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Kibana before 4.5.4 and 4.1.11 when a custom output is configured for logging in, cookies and authorization headers could be written to the log files. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Elastic Kibana
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Kibana versions prior to 4.1.3 and 4.2.1 are vulnerable to a XSS attack. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Elastic Kibana
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Starting in version 5.3.0, Kibana had a cross-site scripting (XSS) vulnerability in the Discover page that could allow an attacker to obtain sensitive information from or perform destructive actions. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Elastic Kibana
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Kibana version 5.4.0 was affected by a Cross Site Scripting (XSS) bug in the Time Series Visual Builder. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Elastic Kibana
NVD
EPSS 0% CVSS 6.8
MEDIUM This Month

Cross-site request forgery (CSRF) vulnerability in Elasticsearch Kibana before 4.1.3 and 4.2.x before 4.2.1 allows remote attackers to hijack the authentication of unspecified victims via unknown. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.

Elastic CSRF Kibana
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-site scripting (XSS) vulnerability in Elasticsearch Kibana 4.x before 4.0.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

XSS Elastic Kibana
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy