CVE-2025-68387 — Cross-site Scripting in Kibana

CWE-79 — Cross-site Scripting5 documents5 sources

Severity

6.1MEDIUMNVD

EPSS

0.1%

top 70.91%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Elastic Kibana

Timeline

PublishedDec 18

Latest updateDec 19

Description

Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an unauthenticated user to embed a malicious script in content that will be served to web browsers causing cross-site scripting (XSS) (CAPEC-63) via a vulnerability a function handler in the Vega AST evaluator.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶NVDelastic/kibana8.0.0 — 8.19.9+3

▶CVEListV5elastic/kibana8.0.0 — 8.19.8+3

🔴Vulnerability Details

GHSA

GHSA-4rxh-p69j-7rxg: Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an unauthenticated user to embed a malicious scri↗2025-12-19

▶

CVEList

Kibana Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')↗2025-12-18

▶

📋Vendor Advisories

Red Hat

Kibana: Kibana: Cross-site scripting (XSS) via improper input neutralization in Vega AST evaluator↗2025-12-18

▶

🕵️Threat Intelligence

Wiz

CVE-2025-68387 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶