Filtered by vendor Elastic
Subscriptions
Filtered by product Kibana
Subscriptions
Total
75 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-7609 | 2 Elastic, Redhat | 3 Kibana, Openshift, Openshift Container Platform | 2025-07-30 | 9.8 Critical |
| Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system. | ||||
| CVE-2024-52973 | 1 Elastic | 1 Kibana | 2025-07-13 | 6.5 Medium |
| An allocation of resources without limits or throttling in Kibana can lead to a crash caused by a specially crafted request to /api/log_entries/summary. This can be carried out by users with read access to the Observability-Logs feature in Kibana. | ||||
| CVE-2024-52974 | 1 Elastic | 1 Kibana | 2025-07-13 | 6.5 Medium |
| An issue has been identified where a specially crafted request sent to an Observability API could cause the kibana server to crash. A successful attack requires a malicious user to have read permissions for Observability assigned to them. | ||||
| CVE-2024-12556 | 1 Elastic | 1 Kibana | 2025-07-13 | 8.7 High |
| Prototype Pollution in Kibana can lead to code injection via unrestricted file upload combined with path traversal. | ||||
| CVE-2024-52972 | 1 Elastic | 1 Kibana | 2025-07-13 | 6.5 Medium |
| An allocation of resources without limits or throttling in Kibana can lead to a crash caused by a specially crafted request to /api/metrics/snapshot. This can be carried out by users with read access to the Observability Metrics or Logs features in Kibana. | ||||
| CVE-2025-25014 | 1 Elastic | 1 Kibana | 2025-07-13 | 9.1 Critical |
| A Prototype pollution vulnerability in Kibana leads to arbitrary code execution via crafted HTTP requests to machine learning and reporting endpoints. | ||||
| CVE-2024-43708 | 1 Elastic | 1 Kibana | 2025-07-12 | 6.5 Medium |
| An allocation of resources without limits or throttling in Kibana can lead to a crash caused by a specially crafted payload to a number of inputs in Kibana UI. This can be carried out by users with read access to any feature in Kibana. | ||||
| CVE-2024-43707 | 1 Elastic | 1 Kibana | 2025-07-12 | 7.7 High |
| An issue was identified in Kibana where a user without access to Fleet can view Elastic Agent policies that could contain sensitive information. The nature of the sensitive information depends on the integrations enabled for the Elastic Agent and their respective versions. | ||||
| CVE-2025-25015 | 1 Elastic | 1 Kibana | 2025-07-12 | 9.9 Critical |
| Prototype pollution in Kibana leads to arbitrary code execution via a crafted file upload and specifically crafted HTTP requests. In Kibana versions >= 8.15.0 and < 8.17.1, this is exploitable by users with the Viewer role. In Kibana versions 8.17.1 and 8.17.2 , this is only exploitable by users that have roles that contain all the following privileges: fleet-all, integrations-all, actions:execute-advanced-connectors | ||||
| CVE-2025-25012 | 1 Elastic | 1 Kibana | 2025-07-06 | 4.3 Medium |
| URL redirection to an untrusted site ('Open Redirect') in Kibana can lead to sending a user to an arbitrary site and server-side request forgery via a specially crafted URL. | ||||
| CVE-2024-43706 | 1 Elastic | 1 Kibana | 2025-06-24 | 7.6 High |
| Improper authorization in Kibana can lead to privilege abuse via a direct HTTP request to a Synthetic monitor endpoint. | ||||
| CVE-2023-46675 | 1 Elastic | 1 Kibana | 2025-05-22 | 8 High |
| An issue was discovered by Elastic whereby sensitive information may be recorded in Kibana logs in the event of an error or in the event where debug level logging is enabled in Kibana. Elastic has released Kibana 8.11.2 which resolves this issue. The messages recorded in the log may contain Account credentials for the kibana_system user, API Keys, and credentials of Kibana end-users, Elastic Security package policy objects which can contain private keys, bearer token, and sessions of 3rd-party integrations and finally Authorization headers, client secrets, local file paths, and stack traces. The issue may occur in any Kibana instance running an affected version that could potentially receive an unexpected error when communicating to Elasticsearch causing it to include sensitive data into Kibana error logs. It could also occur under specific circumstances when debug level logging is enabled in Kibana. Note: It was found that the fix for ESA-2023-25 in Kibana 8.11.1 for a similar issue was incomplete. | ||||
| CVE-2025-25016 | 1 Elastic | 1 Kibana | 2025-05-06 | 4.3 Medium |
| Unrestricted file upload in Kibana allows an authenticated attacker to compromise software integrity by uploading a crafted malicious file due to insufficient server-side validation. | ||||
| CVE-2024-11390 | 1 Elastic | 1 Kibana | 2025-05-02 | 5.4 Medium |
| Unrestricted upload of a file with dangerous type in Kibana can lead to arbitrary JavaScript execution in a victim’s browser (XSS) via crafted HTML and JavaScript files. The attacker must have access to the Synthetics app AND/OR have access to write to the synthetics indices. | ||||
| CVE-2021-22141 | 1 Elastic | 1 Kibana | 2025-04-29 | 6.1 Medium |
| An open redirect flaw was found in Kibana versions before 7.13.0 and 6.8.16. If a logged in user visits a maliciously crafted URL, it could result in Kibana redirecting the user to an arbitrary website. | ||||
| CVE-2021-37936 | 1 Elastic | 1 Kibana | 2025-04-29 | 5.4 Medium |
| It was discovered that Kibana was not sanitizing document fields containing HTML snippets. Using this vulnerability, an attacker with the ability to write documents to an elasticsearch index could inject HTML. When the Discover app highlighted a search term containing the HTML, it would be rendered for the user. | ||||
| CVE-2017-11479 | 2 Elastic, Elasticsearch | 2 Kibana, Kibana | 2025-04-20 | N/A |
| Kibana versions prior to 5.6.1 had a cross-site scripting (XSS) vulnerability in Timelion that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users. | ||||
| CVE-2016-10365 | 1 Elastic | 1 Kibana | 2025-04-20 | N/A |
| Kibana versions before 4.6.3 and 5.0.1 have an open redirect vulnerability that would enable an attacker to craft a link in the Kibana domain that redirects to an arbitrary website. | ||||
| CVE-2017-8440 | 1 Elastic | 1 Kibana | 2025-04-20 | N/A |
| Starting in version 5.3.0, Kibana had a cross-site scripting (XSS) vulnerability in the Discover page that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users. | ||||
| CVE-2016-1000220 | 2 Elastic, Redhat | 2 Kibana, Openshift | 2025-04-20 | N/A |
| Kibana before 4.5.4 and 4.1.11 are vulnerable to an XSS attack that would allow an attacker to execute arbitrary JavaScript in users' browsers. | ||||