cbcvebase.

Elastic Kibana vulnerabilities

117 known vulnerabilities affecting elastic/kibana.

Total CVEs
117
CISA KEV
1
actively exploited
Public exploits
3
Exploited in wild
2
Severity breakdown
CRITICAL7HIGH25MEDIUM83LOW2

Vulnerabilities

Page 4 of 6
CVE-2021-22139P4MEDIUMCVSS 6.5fixed in 7.12.1vbefore 7.12.12021-05-13
CVE-2021-22139 [MEDIUM] CWE-400 CVE-2021-22139: Kibana versions before 7.12.1 contain a denial of service vulnerability was found in the webhook act Kibana versions before 7.12.1 contain a denial of service vulnerability was found in the webhook actions due to a lack of timeout or a limit on the request size. An attacker with permissions to create webhook actions could drain the Kibana host connection pool, making Kibana unavailable for all other users.
nvd
CVE-2020-7017P4MEDIUMCVSS 6.7vbefore 6.8.11 and 7.8.12020-07-27
CVE-2020-7017 [MEDIUM] CWE-79 CVE-2020-7017: In Kibana versions before 6.8.11 and 7.8.1 the region map visualization in contains a stored XSS fla In Kibana versions before 6.8.11 and 7.8.1 the region map visualization in contains a stored XSS flaw. An attacker who is able to edit or create a region map visualization could obtain sensitive information or perform destructive actions on behalf of Kibana users who view the region map visualization.
nvd
CVE-2017-8443P4MEDIUMCVSS 6.5≤ 5.4.22017-06-30
CVE-2017-8443 [MEDIUM] CWE-598 CVE-2017-8443: In Kibana X-Pack security versions prior to 5.4.3 if a Kibana user opens a crafted Kibana URL the re In Kibana X-Pack security versions prior to 5.4.3 if a Kibana user opens a crafted Kibana URL the result could be a redirect to an improperly initialized Kibana login screen. If the user enters credentials on this screen, the credentials will appear in the URL bar. The credentials could then be viewed by untrusted parties or logged into the Kibana acc
nvd
CVE-2024-11390P4MEDIUMCVSS 5.4≥ 7.17.6, < 7.17.24≥ 8.4.0, < 8.12.0+2 more2025-05-01
CVE-2024-11390 [MEDIUM] CWE-434 CVE-2024-11390: Unrestricted upload of a file with dangerous type in Kibana can lead to arbitrary JavaScript executi Unrestricted upload of a file with dangerous type in Kibana can lead to arbitrary JavaScript execution in a victim’s browser (XSS) via crafted HTML and JavaScript files. The attacker must have access to the Synthetics app AND/OR have access to write to the synthetics indices.
nvd
CVE-2025-37728P4MEDIUMCVSS 5.4≥ 7.0.0, ≤ 7.17.29≥ 8.14.0, ≤ 8.18.7+3 more2025-10-07
CVE-2025-37728 [MEDIUM] CWE-522 CVE-2025-37728: Insufficiently Protected Credentials in the Crowdstrike connector can lead to Crowdstrike credential Insufficiently Protected Credentials in the Crowdstrike connector can lead to Crowdstrike credentials being leaked. A malicious user can access cached credentials from a Crowdstrike connector in another space by creating and running a Crowdstrike connector in a space to which they have access.
nvd
CVE-2020-27816P4MEDIUMCVSS 6.1≤ 4.72020-12-02
CVE-2020-27816 [MEDIUM] CWE-601 CVE-2020-27816: The elasticsearch-operator does not validate the namespace where kibana logging resource is created The elasticsearch-operator does not validate the namespace where kibana logging resource is created and due to that it is possible to replace the original openshift-logging console link (kibana console) to different one, created based on the new CR for the new kibana resource. This could lead to an arbitrary URL redirection or the openshift-logging c
nvd
CVE-2026-42401P4MEDIUMCVSS 5.4≥ 8.0.0, < 8.19.16≥ 9.0.0, < 9.3.5+2 more2026-05-28
CVE-2026-42401 [MEDIUM] CWE-79 CVE-2026-42401: Improper Neutralization of Input During Web Page Generation (CWE-79) in Kibana can lead to stored HT Improper Neutralization of Input During Web Page Generation (CWE-79) in Kibana can lead to stored HTML injection. A user with write access to an Elasticsearch index could persist crafted markup which, when subsequently rendered through an affected Kibana view by another user, was not sufficiently sanitized. Successful exploitation could result in una
nvd
CVE-2022-23711P4MEDIUMCVSS 5.3≥ 7.2.1, < 7.17.3≥ 8.0.0, < 8.1.3+1 more2022-04-21
CVE-2022-23711 [MEDIUM] CWE-200 CVE-2022-23711: A vulnerability in Kibana could expose sensitive information related to Elastic Stack monitoring in A vulnerability in Kibana could expose sensitive information related to Elastic Stack monitoring in the Kibana page source. Elastic Stack monitoring features provide a way to keep a pulse on the health and performance of your Elasticsearch cluster. Authentication with a vulnerable Kibana instance is not required to view the exposed information. The E
nvd
CVE-2026-33463P4MEDIUMCVSS 5.3≥ 8.0.0, < 8.19.16≥ 9.0.0, < 9.3.5+2 more2026-05-28
CVE-2026-33463 [MEDIUM] CWE-672 CVE-2026-33463: Operation on a Resource after Expiration or Termination (CWE-672) in Kibana can lead to unauthorized Operation on a Resource after Expiration or Termination (CWE-672) in Kibana can lead to unauthorized information disclosure. A logic error in how expiration timestamps were validated allowed a time-bounded access token to remain usable beyond its intended validity window, enabling an unauthenticated actor in possession of the token to retrieve the a
nvd
CVE-2021-22141P4MEDIUMCVSS 6.1fixed in 6.8.16≥ 7.0.0, < 7.13.0+1 more2022-11-18
CVE-2021-22141 [MEDIUM] CWE-601 CVE-2021-22141: An open redirect flaw was found in Kibana versions before 7.13.0 and 6.8.16. If a logged in user vis An open redirect flaw was found in Kibana versions before 7.13.0 and 6.8.16. If a logged in user visits a maliciously crafted URL, it could result in Kibana redirecting the user to an arbitrary website.
nvd
CVE-2022-38779P4MEDIUMCVSS 6.1≥ 7.0.0, < 7.17.9≥ 8.0.0, < 8.6.2+1 more2023-02-22
CVE-2022-38779 [MEDIUM] CWE-601 CVE-2022-38779: An open redirect issue was discovered in Kibana that could lead to a user being redirected to an arb An open redirect issue was discovered in Kibana that could lead to a user being redirected to an arbitrary website if they use a maliciously crafted Kibana URL.
nvd
CVE-2024-23442P4MEDIUMCVSS 6.1fixed in 7.17.22≥ 8.0.0, < 8.14.0+2 more2024-06-14
CVE-2024-23442 [MEDIUM] CWE-601 CVE-2024-23442: An open redirect issue was discovered in Kibana that could lead to a user being redirected to an arb An open redirect issue was discovered in Kibana that could lead to a user being redirected to an arbitrary website if they use a maliciously crafted Kibana URL.
nvd
CVE-2025-68387P4MEDIUMCVSS 6.1≥ 7.0.0, ≤ 7.17.29≥ 8.0.0, < 8.19.9+5 more2025-12-18
CVE-2025-68387 [MEDIUM] CWE-79 CVE-2025-68387: Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an unauthenticated user to embed a malicious script in content that will be served to web browsers causing cross-site scripting (XSS) (CAPEC-63) via a vulnerability a function handler in the Vega AST evaluator.
nvd
CVE-2025-25012P4MEDIUMCVSS 5.4≥ 7.0.0, < 7.17.29≥ 8.0.0, < 8.17.8+6 more2025-06-25
CVE-2025-25012 [MEDIUM] CWE-601 CVE-2025-25012: URL redirection to an untrusted site ('Open Redirect') in Kibana can lead to sending a user to an ar URL redirection to an untrusted site ('Open Redirect') in Kibana can lead to sending a user to an arbitrary site and server-side request forgery via a specially crafted URL.
nvd
CVE-2015-8131P4MEDIUMCVSS 6.8≤ 4.1.2v4.2.02015-12-07
CVE-2015-8131 [MEDIUM] CWE-352 CVE-2015-8131: Cross-site request forgery (CSRF) vulnerability in Elasticsearch Kibana before 4.1.3 and 4.2.x befor Cross-site request forgery (CSRF) vulnerability in Elasticsearch Kibana before 4.1.3 and 4.2.x before 4.2.1 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.
nvd
CVE-2018-3830P4MEDIUMCVSS 6.1≥ 5.3.0, ≤ 6.4.1vafter 5.3.0, before 5.6.12 and 6.4.12018-09-19
CVE-2018-3830 [MEDIUM] CWE-79 CVE-2018-3830: Kibana versions 5.3.0 to 6.4.1 had a cross-site scripting (XSS) vulnerability via the source field f Kibana versions 5.3.0 to 6.4.1 had a cross-site scripting (XSS) vulnerability via the source field formatter that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.
nvd
CVE-2016-1000220P4MEDIUMCVSS 6.1≥ 4.1.0, < 4.1.11≥ 4.5.0, < 4.5.42017-06-16
CVE-2016-1000220 [MEDIUM] CWE-79 CVE-2016-1000220: Kibana before 4.5.4 and 4.1.11 are vulnerable to an XSS attack that would allow an attacker to execu Kibana before 4.5.4 and 4.1.11 are vulnerable to an XSS attack that would allow an attacker to execute arbitrary JavaScript in users' browsers.
nvd
CVE-2025-25017P4MEDIUMCVSS 6.1≥ 7.0.0, < 8.18.8≥ 8.19.0, < 8.19.4+7 more2025-10-10
CVE-2025-25017 [MEDIUM] CWE-79 CVE-2025-25017: Improper Neutralization of Input During Web Page Generation in Kibana can lead to Cross-Site Scripti Improper Neutralization of Input During Web Page Generation in Kibana can lead to Cross-Site Scripting (XSS)
nvd
CVE-2020-7015P4MEDIUMCVSS 5.4fixed in 6.8.10≥ 7.0.0, < 7.7.1+1 more2020-06-03
CVE-2020-7015 [MEDIUM] CWE-79 CVE-2020-7015: Kibana versions before 6.8.9 and 7.7.0 contains a stored XSS flaw in the TSVB visualization. An atta Kibana versions before 6.8.9 and 7.7.0 contains a stored XSS flaw in the TSVB visualization. An attacker who is able to edit or create a TSVB visualization could allow the attacker to obtain sensitive information from, or perform destructive actions, on behalf of Kibana users who edit the TSVB visualization.
nvd
CVE-2025-25009P4MEDIUMCVSS 5.4≥ 7.0.0, < 8.18.8≥ 8.19.0, < 8.19.5+7 more2025-10-07
CVE-2025-25009 [MEDIUM] CWE-79 CVE-2025-25009: Improper Neutralization of Input During Web Page Generation in Kibana can lead to Stored XSS via cas Improper Neutralization of Input During Web Page Generation in Kibana can lead to Stored XSS via case file upload.
nvd
Elastic Kibana vulnerabilities | cvebase