cbcvebase.

Elastic Kibana vulnerabilities

117 known vulnerabilities affecting elastic/kibana.

Total CVEs
117
CISA KEV
1
actively exploited
Public exploits
3
Exploited in wild
2
Severity breakdown
CRITICAL7HIGH25MEDIUM83LOW2

Vulnerabilities

Page 5 of 6
CVE-2025-25018P4MEDIUMCVSS 5.4≥ 7.0.0, < 8.18.8≥ 8.19.0, < 8.19.5+6 more2025-10-10
CVE-2025-25018 [MEDIUM] CWE-79 CVE-2025-25018: Improper Neutralization of Input During Web Page Generation in Kibana can lead to stored Cross-Site Improper Neutralization of Input During Web Page Generation in Kibana can lead to stored Cross-Site Scripting (XSS)
nvd
CVE-2025-37732P4MEDIUMCVSS 5.4≥ 7.0.0, ≤ 7.17.29≥ 8.0.0, < 8.19.8+2 more2025-12-15
CVE-2025-37732 [MEDIUM] CVE-2025-37732: Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an authenticated user to render HTML tags within a user’s browser via the integration package upload functionality. This issue is related to ESA-2025-17 (CVE-2025-25018) bypassing that fix to achieve HTML injection.
nvd
CVE-2025-25016P4MEDIUMCVSS 4.3≥ 7.17.0, < 7.17.19≥ 8.0.0, < 8.13.0+1 more2025-05-01
CVE-2025-25016 [MEDIUM] CWE-434 CVE-2025-25016: Unrestricted file upload in Kibana allows an authenticated attacker to compromise software integrity Unrestricted file upload in Kibana allows an authenticated attacker to compromise software integrity by uploading a crafted malicious file due to insufficient server-side validation.
nvd
CVE-2025-68422P4MEDIUMCVSS 4.3≥ 7.0.0, ≤ 7.17.29≥ 8.0.0, < 8.19.7+5 more2025-12-18
CVE-2025-68422 [MEDIUM] CWE-863 CVE-2025-68422: Improper Authorization (CWE-285) in Kibana can lead to privilege escalation (CAPEC-233) by allowing Improper Authorization (CWE-285) in Kibana can lead to privilege escalation (CAPEC-233) by allowing an authenticated user to bypass intended permission restrictions via a crafted HTTP request. This allows an attacker who lacks the live queries - read permission to successfully retrieve the list of live queries.
nvd
CVE-2019-7608P4MEDIUMCVSS 6.1fixed in 5.6.15≥ 6.0.0, < 6.6.1+1 more2019-03-25
CVE-2019-7608 [MEDIUM] CWE-79 CVE-2019-7608: Kibana versions before 5.6.15 and 6.6.1 had a cross-site scripting (XSS) vulnerability that could al Kibana versions before 5.6.15 and 6.6.1 had a cross-site scripting (XSS) vulnerability that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.
nvd
CVE-2015-9056P4MEDIUMCVSS 6.1≥ 4.1.0, < 4.1.3≥ 4.2.0, < 4.2.1+2 more2017-06-16
CVE-2015-9056 [MEDIUM] CWE-79 CVE-2015-9056: Kibana versions prior to 4.1.3 and 4.2.1 are vulnerable to a XSS attack. Kibana versions prior to 4.1.3 and 4.2.1 are vulnerable to a XSS attack.
nvd
CVE-2025-68385P4MEDIUMCVSS 6.1≥ 7.0.0, ≤ 7.17.29≥ 8.0.0, < 8.19.9+5 more2025-12-18
CVE-2025-68385 [MEDIUM] CWE-79 CVE-2025-68385: Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an authenticated user to embed a malicious script in content that will be served to web browsers causing cross-site scripting (XSS) (CAPEC-63) via a method in Vega bypassing a previous Vega XSS mitigation.
nvd
CVE-2019-7621P4MEDIUMCVSS 5.4fixed in 6.8.6≥ 7.0.0, < 7.5.1+1 more2019-12-18
CVE-2019-7621 [MEDIUM] CWE-79 CVE-2019-7621: Kibana versions before 6.8.6 and 7.5.1 contain a cross site scripting (XSS) flaw in the coordinate a Kibana versions before 6.8.6 and 7.5.1 contain a cross site scripting (XSS) flaw in the coordinate and region map visualizations. An attacker with the ability to create coordinate map visualizations could create a malicious visualization. If another Kibana user views that visualization or a dashboard containing the visualization it could execute JavaSc
nvd
CVE-2022-23707P4MEDIUMCVSS 5.4≥ 7.5.1, < 7.17.0v7.5.1 through 7.16.32022-02-11
CVE-2022-23707 [MEDIUM] CWE-79 CVE-2022-23707: An XSS vulnerability was found in Kibana index patterns. Using this vulnerability, an authenticated An XSS vulnerability was found in Kibana index patterns. Using this vulnerability, an authenticated user with permissions to create index patterns can inject malicious javascript into the index pattern which could execute against other users
nvd
CVE-2024-23443P4MEDIUMCVSS 4.9≥ 7.0.0, < 7.17.22≥ 8.0.0, < 8.14.0+2 more2024-06-19
CVE-2024-23443 [MEDIUM] CWE-400 CVE-2024-23443: A high-privileged user, allowed to create custom osquery packs 17 could affect the availability of K A high-privileged user, allowed to create custom osquery packs 17 could affect the availability of Kibana by uploading a maliciously crafted osquery pack.
nvd
CVE-2021-37936P4MEDIUMCVSS 5.4fixed in 7.14.1vversions before 7.14.12022-11-18
CVE-2021-37936 [MEDIUM] CWE-79 CVE-2021-37936: It was discovered that Kibana was not sanitizing document fields containing HTML snippets. Using thi It was discovered that Kibana was not sanitizing document fields containing HTML snippets. Using this vulnerability, an attacker with the ability to write documents to an elasticsearch index could inject HTML. When the Discover app highlighted a search term containing the HTML, it would be rendered for the user.
nvd
CVE-2025-68386P4MEDIUMCVSS 4.3≥ 7.0.0, ≤ 7.17.29≥ 8.0.0, < 8.19.8+5 more2025-12-18
CVE-2025-68386 [MEDIUM] CWE-863 CVE-2025-68386: Improper Authorization (CWE-285) in Kibana can lead to privilege escalation (CAPEC-233) by allowing Improper Authorization (CWE-285) in Kibana can lead to privilege escalation (CAPEC-233) by allowing an authenticated user to change a document's sharing type to "global," even though they do not have permission to do so, making it visible to everyone in the space via a crafted a HTTP request.
nvd
CVE-2017-11479P4MEDIUMCVSS 6.1v5.0.0v5.0.1+19 more2017-09-29
CVE-2017-11479 [MEDIUM] CWE-79 CVE-2017-11479: Kibana versions prior to 5.6.1 had a cross-site scripting (XSS) vulnerability in Timelion that could Kibana versions prior to 5.6.1 had a cross-site scripting (XSS) vulnerability in Timelion that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.
nvd
CVE-2016-10365P4MEDIUMCVSS 6.1≤ 4.6.2≤ 5.0.0+1 more2017-06-16
CVE-2016-10365 [MEDIUM] CWE-601 CVE-2016-10365: Kibana versions before 4.6.3 and 5.0.1 have an open redirect vulnerability that would enable an atta Kibana versions before 4.6.3 and 5.0.1 have an open redirect vulnerability that would enable an attacker to craft a link in the Kibana domain that redirects to an arbitrary website.
nvd
CVE-2016-10366P4MEDIUMCVSS 6.1v4.3.0v4.3.1+13 more2017-06-16
CVE-2016-10366 [MEDIUM] CWE-79 CVE-2016-10366: Kibana versions after and including 4.3 and before 4.6.2 are vulnerable to a cross-site scripting (X Kibana versions after and including 4.3 and before 4.6.2 are vulnerable to a cross-site scripting (XSS) attack.
nvd
CVE-2018-3818P4MEDIUMCVSS 6.1≥ 5.1.1, ≤ 6.1.2v5.1.1 to 6.1.2 and 5.6.62018-03-30
CVE-2018-3818 [MEDIUM] CWE-79 CVE-2018-3818: Kibana versions 5.1.1 to 6.1.2 and 5.6.6 had a cross-site scripting (XSS) vulnerability via the colo Kibana versions 5.1.1 to 6.1.2 and 5.6.6 had a cross-site scripting (XSS) vulnerability via the colored fields formatter that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.
nvd
CVE-2018-3819P4MEDIUMCVSS 6.1fixed in 5.6.7≥ 6.0.0, < 6.1.3+1 more2018-03-30
CVE-2018-3819 [MEDIUM] CWE-601 CVE-2018-3819: The fix in Kibana for ESA-2017-23 was incomplete. With X-Pack security enabled, Kibana versions befo The fix in Kibana for ESA-2017-23 was incomplete. With X-Pack security enabled, Kibana versions before 6.1.3 and 5.6.7 have an open redirect vulnerability on the login page that would enable an attacker to craft a link that redirects to an arbitrary website.
nvd
CVE-2017-11481P4MEDIUMCVSS 6.1v5.6.0v5.6.1+5 more2017-12-08
CVE-2017-11481 [MEDIUM] CWE-79 CVE-2017-11481: Kibana versions prior to 6.0.1 and 5.6.5 had a cross-site scripting (XSS) vulnerability via URL fiel Kibana versions prior to 6.0.1 and 5.6.5 had a cross-site scripting (XSS) vulnerability via URL fields that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.
nvd
CVE-2022-23710P4MEDIUMCVSS 6.1≥ 7.15.0, ≤ 7.17.0v8.0.0+1 more2022-03-03
CVE-2022-23710 [MEDIUM] CWE-79 CVE-2022-23710: A cross-site-scripting (XSS) vulnerability was discovered in the Data Preview Pane (previously known A cross-site-scripting (XSS) vulnerability was discovered in the Data Preview Pane (previously known as Index Pattern Preview Pane) which could allow arbitrary JavaScript to be executed in a victim’s browser.
nvd
CVE-2017-11482P4MEDIUMCVSS 6.1v5.6.0v5.6.1+5 more2017-12-08
CVE-2017-11482 [MEDIUM] CWE-601 CVE-2017-11482: The Kibana fix for CVE-2017-8451 was found to be incomplete. With X-Pack installed, Kibana versions The Kibana fix for CVE-2017-8451 was found to be incomplete. With X-Pack installed, Kibana versions before 6.0.1 and 5.6.5 have an open redirect vulnerability on the login page that would enable an attacker to craft a link that redirects to an arbitrary website.
nvd
Elastic Kibana vulnerabilities | cvebase