CVE-2025-37732 — Cross-site Scripting in Kibana

CWE-79 — Cross-site Scripting CWE-476 — NULL Pointer Dereference6 documents6 sources

Severity

5.4MEDIUMNVD

CNA8.7

EPSS

0.1%

top 83.24%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Elastic Kibana

Timeline

PublishedDec 15

Description

Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an authenticated user to render HTML tags within a user’s browser via the integration package upload functionality. This issue is related to ESA-2025-17 (CVE-2025-25018) bypassing that fix to achieve HTML injection.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

▶NVDelastic/kibana8.0.0 — 8.19.8+3

▶CVEListV5elastic/kibana7.0.0 — 7.17.29+3

🔴Vulnerability Details

CVEList

Kibana Cross-site Scripting via the Integration Package Upload Functionality↗2025-12-15

▶

GHSA

GHSA-97mj-r9v7-258f: Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an authenticated user to render HTML tags within↗2025-12-15

▶

📋Vendor Advisories

Red Hat

kibana: Kibana: Cross-site Scripting (XSS) via integration package upload↗2025-12-15

▶

Microsoft

Yasm v1.3.0.78 was found prone to NULL Pointer Dereference in /libyasm/intnum.c and /elf/elf.c, which allows the attacker to cause a denial of service via a crafted file.↗2023-07-11

▶

🕵️Threat Intelligence

Wiz

CVE-2025-37732 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶