CVE-2025-25018
published 2025-10-10CVE-2025-25018: Improper Neutralization of Input During Web Page Generation in Kibana can lead to stored Cross-Site Scripting (XSS)
PriorityP425medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.21%
11.1th percentile
Improper Neutralization of Input During Web Page Generation in Kibana can lead to stored Cross-Site Scripting (XSS)
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| elastic | kibana | >= 7.0.0 < 8.18.8 | 8.18.8 |
| elastic | kibana | 7.0.0 – 7.17.29 | — |
| elastic | kibana | 7.0.0 – 7.17.29 | — |
| elastic | kibana | >= 8.0.0 < 8.19.8 | 8.19.8 |
| elastic | kibana | 8.0.0 – 8.19.7 | — |
| elastic | kibana | >= 8.19.0 < 8.19.5 | 8.19.5 |
| elastic | kibana | >= 9.0.0 < 9.1.8 | 9.1.8 |
| elastic | kibana | >= 9.0.0 < 9.0.8 | 9.0.8 |
| elastic | kibana | 9.0.0 – 9.1.7 | — |
| elastic | kibana | >= 9.1.0 < 9.1.5 | 9.1.5 |
| elastic | kibana | >= 9.2.0 < 9.2.2 | 9.2.2 |
| elastic | kibana | 9.2.0 – 9.2.1 | — |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
vendor_redhat8.7HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-97mj-r9v7-258f: Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an authenticated user to render HTML tags within
ghsa_unreviewed·2025-12-15·CVSS 8.7
CVE-2025-37732 [HIGH] CWE-79 GHSA-97mj-r9v7-258f: Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an authenticated user to render HTML tags within
Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an authenticated user to render HTML tags within a user’s browser via the integration package upload functionality. This issue is related to ESA-2025-17 (CVE-2025-25018) bypassing that fix to achieve HTML injection.
GHSA
GHSA-23vx-2j4v-jvhm: Improper Neutralization of Input During Web Page Generation in Kibana can lead to stored Cross-Site Scripting (XSS)
ghsa_unreviewed·2025-10-10
CVE-2025-25018 [HIGH] CWE-79 GHSA-23vx-2j4v-jvhm: Improper Neutralization of Input During Web Page Generation in Kibana can lead to stored Cross-Site Scripting (XSS)
Improper Neutralization of Input During Web Page Generation in Kibana can lead to stored Cross-Site Scripting (XSS)
Red Hat
kibana: Kibana: Cross-site Scripting (XSS) via integration package upload
vendor_redhat·2025-12-15·CVSS 8.7
CVE-2025-37732 [HIGH] CWE-79 kibana: Kibana: Cross-site Scripting (XSS) via integration package upload
kibana: Kibana: Cross-site Scripting (XSS) via integration package upload
Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an authenticated user to render HTML tags within a user’s browser via the integration package upload functionality. This issue is related to ESA-2025-17 (CVE-2025-25018) bypassing that fix to achieve HTML injection.
A flaw was found in Kibana. This vulnerability allows an authenticated user to render HTML tags within a user’s browser via the integration package upload functionality.
Statement: This vulnerability is rated Moderate for Red Hat products as it affects Kibana in OpenShift Container Platform. An authenticated user can exploit this cross-site scripting flaw by uploading a malicious integration package, le
Red Hat
Kibana: Kibana Stored Cross-Site Scripting (XSS)
vendor_redhat·2025-10-10·CVSS 8.7
CVE-2025-25018 [HIGH] CWE-79 Kibana: Kibana Stored Cross-Site Scripting (XSS)
Kibana: Kibana Stored Cross-Site Scripting (XSS)
Improper Neutralization of Input During Web Page Generation in Kibana can lead to stored Cross-Site Scripting (XSS)
A stored Cross-Site Scripting (XSS) vulnerability in Kibana, caused by improper neutralization of user input during web page generation. This flaw allows a low-privileged attacker to inject malicious scripts into Kibana dashboards or visualizations, which execute in other users’ browsers and can lead to data theft or session compromise.
Statement: This vulnerability is considered Important rather than Moderate because it enables persistent client-side code execution within a shared analytics environment. Unlike reflected or transient XSS flaws, the injected payload in CVE-2025-25018 is stored on the Kibana server and automat
No detection rules found.
No public exploits indexed.
2025-10-10
Published