CVE-2025-25017
published 2025-10-10CVE-2025-25017: Improper Neutralization of Input During Web Page Generation in Kibana can lead to Cross-Site Scripting (XSS)
PriorityP425medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.25%
16.3th percentile
Improper Neutralization of Input During Web Page Generation in Kibana can lead to Cross-Site Scripting (XSS)
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| elastic | kibana | >= 7.0.0 < 8.18.8 | 8.18.8 |
| elastic | kibana | 7.0.0 – 7.17.29 | — |
| elastic | kibana | 8.0.0 – 8.18.7 | — |
| elastic | kibana | >= 8.19.0 < 8.19.4 | 8.19.4 |
| elastic | kibana | 8.19.0 – 8.19.3 | — |
| elastic | kibana | >= 9.0.0 < 9.0.7 | 9.0.7 |
| elastic | kibana | 9.0.0 – 9.0.6 | — |
| elastic | kibana | >= 9.1.0 < 9.1.4 | 9.1.4 |
| elastic | kibana | 9.1.0 – 9.1.3 | — |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vendor_redhat8.2HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
Kibana: Kibana Stored Cross-Site Scripting (XSS)
vendor_redhat·2025-10-10·CVSS 8.2
CVE-2025-25017 [HIGH] CWE-79 Kibana: Kibana Stored Cross-Site Scripting (XSS)
Kibana: Kibana Stored Cross-Site Scripting (XSS)
Improper Neutralization of Input During Web Page Generation in Kibana can lead to Cross-Site Scripting (XSS)
A Cross-Site Scripting (XSS) vulnerability in Kibana’s Vega visualization engine. It results from improper input validation in Vega visualization specifications, allowing attackers to inject malicious JavaScript. Successful exploitation could lead to session hijacking, data theft, or privilege escalation within Kibana dashboards.
Statement: This vulnerability is rated Important rather than Moderate because it allows unauthenticated remote exploitation through user interaction, enabling attackers to execute arbitrary JavaScript within the Kibana interface and compromise the confidentiality and integrity of dashboard data. Unlike mod
GHSA
GHSA-866g-x98c-rprc: Improper Neutralization of Input During Web Page Generation in Kibana can lead to Cross-Site Scripting (XSS)
ghsa_unreviewed·2025-10-10
CVE-2025-25017 [HIGH] CWE-79 GHSA-866g-x98c-rprc: Improper Neutralization of Input During Web Page Generation in Kibana can lead to Cross-Site Scripting (XSS)
Improper Neutralization of Input During Web Page Generation in Kibana can lead to Cross-Site Scripting (XSS)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-10-10
Published