Elastic Kibana vulnerabilities

CVE-2025-68385 [MEDIUM] CWE-79 CVE-2025-68385: Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an authenticated user to embed a malicious script in content that will be served to web browsers causing cross-site scripting (XSS) (CAPEC-63) via a method in Vega bypassing a previous Vega XSS mitigation.

CVE-2025-68387 [MEDIUM] CWE-79 CVE-2025-68387: Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an unauthenticated user to embed a malicious script in content that will be served to web browsers causing cross-site scripting (XSS) (CAPEC-63) via a vulnerability a function handler in the Vega AST evaluator.

CVE-2025-37732 [MEDIUM] CVE-2025-37732: Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an authenticated user to render HTML tags within a user’s browser via the integration package upload functionality. This issue is related to ESA-2025-17 (CVE-2025-25018) bypassing that fix to achieve HTML injection.

CVE-2025-37734 [MEDIUM] CWE-346 CVE-2025-37734: Origin Validation Error in Kibana can lead to Server-Side Request Forgery via a forged Origin HTTP h Origin Validation Error in Kibana can lead to Server-Side Request Forgery via a forged Origin HTTP header processed by the Observability AI Assistant.

CVE-2025-37735 [HIGH] CWE-281 CVE-2025-37735: Improper preservation of permissions in Elastic Defend on Windows hosts can lead to arbitrary files Improper preservation of permissions in Elastic Defend on Windows hosts can lead to arbitrary files on the system being deleted by the Defend service running as SYSTEM. In some cases, this could result in local privilege escalation.

CVE-2025-25017 [MEDIUM] CWE-79 CVE-2025-25017: Improper Neutralization of Input During Web Page Generation in Kibana can lead to Cross-Site Scripti Improper Neutralization of Input During Web Page Generation in Kibana can lead to Cross-Site Scripting (XSS)

CVE-2025-25018 [MEDIUM] CWE-79 CVE-2025-25018: Improper Neutralization of Input During Web Page Generation in Kibana can lead to stored Cross-Site Improper Neutralization of Input During Web Page Generation in Kibana can lead to stored Cross-Site Scripting (XSS)

CVE-2025-25009 [MEDIUM] CWE-79 CVE-2025-25009: Improper Neutralization of Input During Web Page Generation in Kibana can lead to Stored XSS via cas Improper Neutralization of Input During Web Page Generation in Kibana can lead to Stored XSS via case file upload.

CVE-2025-37728 [MEDIUM] CWE-522 CVE-2025-37728: Insufficiently Protected Credentials in the Crowdstrike connector can lead to Crowdstrike credential Insufficiently Protected Credentials in the Crowdstrike connector can lead to Crowdstrike credentials being leaked. A malicious user can access cached credentials from a Crowdstrike connector in another space by creating and running a Crowdstrike connector in a space to which they have access.

CVE-2025-25010 [MEDIUM] CWE-863 CVE-2025-25010: Incorrect authorization in Kibana can lead to privilege escalation via the built-in reporting_user r Incorrect authorization in Kibana can lead to privilege escalation via the built-in reporting_user role which incorrectly has the ability to access all Kibana Spaces.

CVE-2025-25012 [MEDIUM] CWE-601 CVE-2025-25012: URL redirection to an untrusted site ('Open Redirect') in Kibana can lead to sending a user to an ar URL redirection to an untrusted site ('Open Redirect') in Kibana can lead to sending a user to an arbitrary site and server-side request forgery via a specially crafted URL.

CVE-2024-43706 [HIGH] CWE-285 CVE-2024-43706: Improper authorization in Kibana can lead to privilege abuse via a direct HTTP request to a Syntheti Improper authorization in Kibana can lead to privilege abuse via a direct HTTP request to a Synthetic monitor endpoint.

CVE-2025-25014 [CRITICAL] CWE-1321 CVE-2025-25014: A Prototype pollution vulnerability in Kibana leads to arbitrary code execution via crafted HTTP req A Prototype pollution vulnerability in Kibana leads to arbitrary code execution via crafted HTTP requests to machine learning and reporting endpoints.

CVE-2024-11390 [MEDIUM] CWE-434 CVE-2024-11390: Unrestricted upload of a file with dangerous type in Kibana can lead to arbitrary JavaScript executi Unrestricted upload of a file with dangerous type in Kibana can lead to arbitrary JavaScript execution in a victim’s browser (XSS) via crafted HTML and JavaScript files. The attacker must have access to the Synthetics app AND/OR have access to write to the synthetics indices.

CVE-2025-25016 [MEDIUM] CWE-434 CVE-2025-25016: Unrestricted file upload in Kibana allows an authenticated attacker to compromise software integrity Unrestricted file upload in Kibana allows an authenticated attacker to compromise software integrity by uploading a crafted malicious file due to insufficient server-side validation.

CVE-2024-12556 [CRITICAL] CWE-1321 CVE-2024-12556: Prototype Pollution in Kibana can lead to code injection via unrestricted file upload combined with Prototype Pollution in Kibana can lead to code injection via unrestricted file upload combined with path traversal.

CVE-2024-52974 [MEDIUM] CWE-400 CVE-2024-52974: An issue has been identified where a specially crafted request sent to an Observability API could ca An issue has been identified where a specially crafted request sent to an Observability API could cause the kibana server to crash. A successful attack requires a malicious user to have read permissions for Observability assigned to them.

CVE-2025-25015 [CRITICAL] CWE-1321 CVE-2025-25015: Prototype pollution in Kibana leads to arbitrary code execution via a crafted file upload and specif Prototype pollution in Kibana leads to arbitrary code execution via a crafted file upload and specifically crafted HTTP requests. In Kibana versions >= 8.15.0 and < 8.17.1, this is exploitable by users with the Viewer role. In Kibana versions 8.17.1 and 8.17.2 , this is only exploitable by users that have roles that contain all the following priv

CVE-2024-43708 [MEDIUM] CWE-770 CVE-2024-43708: An allocation of resources without limits or throttling in Kibana can lead to a crash caused by a sp An allocation of resources without limits or throttling in Kibana can lead to a crash caused by a specially crafted payload to a number of inputs in Kibana UI. This can be carried out by users with read access to any feature in Kibana.

CVE-2024-52972 [MEDIUM] CWE-770 CVE-2024-52972: An allocation of resources without limits or throttling in Kibana can lead to a crash caused by a sp An allocation of resources without limits or throttling in Kibana can lead to a crash caused by a specially crafted request to /api/metrics/snapshot. This can be carried out by users with read access to the Observability Metrics or Logs features in Kibana.