apk package
chainguard/kibana-8.18-bitnami
pkg:apk/chainguard/kibana-8.18-bitnami
Vulnerabilities (51)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-0532 | Hig | 8.6 | < 8.18.8-r10 | 8.18.8-r10 | Jan 14, 2026 | External Control of File Name or Path (CWE-73) combined with Server-Side Request Forgery (CWE-918) can allow an attacker to cause arbitrary file disclosure through a specially crafted credentials JSON payload in the Google Gemini connector configuration. This requires an attacker | |
| CVE-2026-0543 | — | < 8.18.8-r10 | 8.18.8-r10 | Jan 13, 2026 | Improper Input Validation (CWE-20) in Kibana's Email Connector can allow an attacker to cause an Excessive Allocation (CAPEC-130) through a specially crafted email address parameter. This requires an attacker to have authenticated access with view-level privileges sufficient to e | ||
| CVE-2026-0531 | — | < 8.18.8-r10 | 8.18.8-r10 | Jan 13, 2026 | Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana Fleet can lead to Excessive Allocation (CAPEC-130) via a specially crafted bulk retrieval request. This requires an attacker to have low-level privileges equivalent to the viewer role, which grants read acce | ||
| CVE-2026-0530 | — | < 8.18.8-r10 | 8.18.8-r10 | Jan 13, 2026 | Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana Fleet can lead to Excessive Allocation (CAPEC-130) via a specially crafted request. This causes the application to perform redundant processing operations that continuously consume system resources until ser | ||
| CVE-2025-68665 | — | < 8.18.8-r6 | 8.18.8-r6 | Dec 23, 2025 | LangChain is a framework for building LLM-powered applications. Prior to @langchain/core versions 0.3.80 and 1.1.8, and prior to langchain versions 0.3.37 and 1.2.3, a serialization injection vulnerability exists in LangChain JS's toJSON() method (and subsequently when string-ify | ||
| CVE-2025-68422 | — | < 8.18.8-r10 | 8.18.8-r10 | Dec 18, 2025 | Improper Authorization (CWE-285) in Kibana can lead to privilege escalation (CAPEC-233) by allowing an authenticated user to bypass intended permission restrictions via a crafted HTTP request. This allows an attacker who lacks the live queries - read permission to successfully re | ||
| CVE-2025-68386 | — | < 8.18.8-r10 | 8.18.8-r10 | Dec 18, 2025 | Improper Authorization (CWE-285) in Kibana can lead to privilege escalation (CAPEC-233) by allowing an authenticated user to change a document's sharing type to "global," even though they do not have permission to do so, making it visible to everyone in the space via a crafted a | ||
| CVE-2025-68389 | — | < 8.18.8-r10 | 8.18.8-r10 | Dec 18, 2025 | Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana can allow a low-privileged authenticated user to cause Excessive Allocation (CAPEC-130) of computing resources and a denial of service (DoS) of the Kibana process via a crafted HTTP request. | ||
| CVE-2025-68387 | — | < 8.18.8-r10 | 8.18.8-r10 | Dec 18, 2025 | Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an unauthenticated user to embed a malicious script in content that will be served to web browsers causing cross-site scripting (XSS) (CAPEC-63) via a vulnerability a function han | ||
| CVE-2025-68385 | — | < 8.18.8-r10 | 8.18.8-r10 | Dec 18, 2025 | Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an authenticated user to embed a malicious script in content that will be served to web browsers causing cross-site scripting (XSS) (CAPEC-63) via a method in Vega bypassing a pre | ||
| CVE-2025-14874 | — | < 8.18.8-r3 | 8.18.8-r3 | Dec 18, 2025 | A flaw was found in Nodemailer. This vulnerability allows a denial of service (DoS) via a crafted email address header that triggers infinite recursion in the address parser. | ||
| CVE-2025-68154 | — | < 0 | 0 | Dec 16, 2025 | systeminformation is a System and OS information library for node.js. In versions prior to 5.27.14, the `fsSize()` function in systeminformation is vulnerable to OS command injection on Windows systems. The optional `drive` parameter is directly concatenated into a PowerShell com | ||
| CVE-2025-37732 | — | < 8.18.8-r10 | 8.18.8-r10 | Dec 15, 2025 | Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an authenticated user to render HTML tags within a user’s browser via the integration package upload functionality. This issue is related to ESA-2025-17 (CVE-2025-25018) bypassing | ||
| CVE-2025-65945 | — | < 8.18.8-r4 | 8.18.8-r4 | Dec 4, 2025 | auth0/node-jws is a JSON Web Signature implementation for Node.js. In versions 3.2.2 and earlier and version 4.0.0, auth0/node-jws has an improper signature verification vulnerability when using the HS256 algorithm under specific conditions. Applications are affected when they us | ||
| CVE-2025-66030 | — | < 8.18.8-r3 | 8.18.8-r3 | Nov 26, 2025 | Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. An Integer Overflow vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1 structures containing OIDs with oversized arcs. | ||
| CVE-2025-66031 | — | < 8.18.8-r3 | 8.18.8-r3 | Nov 26, 2025 | Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. An Uncontrolled Recursion vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft deep ASN.1 structures that trigger unbounded re | ||
| CVE-2025-12816 | — | < 8.18.8-r3 | 8.18.8-r3 | Nov 25, 2025 | An interpretation-conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and earlier enables unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and s | ||
| CVE-2025-64756 | — | < 0 | 0 | Nov 17, 2025 | Glob matches files using patterns the shell uses. Starting in version 10.2.0 and prior to versions 10.5.0 and 11.1.0, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names. | ||
| CVE-2025-13033 | Hig | 7.5 | < 8.18.8-r1 | 8.18.8-r1 | Nov 14, 2025 | A vulnerability was identified in the email parsing library due to improper handling of specially formatted recipient email addresses. An attacker can exploit this flaw by crafting a recipient address that embeds an external address within quotes. This causes the application to m | |
| CVE-2025-64718 | — | < 8.18.8-r2 | 8.18.8-r2 | Nov 13, 2025 | js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (`__proto__`). All users who parse untrusted yaml documents may be impacted. T |
- affected < 8.18.8-r10fixed 8.18.8-r10
External Control of File Name or Path (CWE-73) combined with Server-Side Request Forgery (CWE-918) can allow an attacker to cause arbitrary file disclosure through a specially crafted credentials JSON payload in the Google Gemini connector configuration. This requires an attacker
- CVE-2026-0543Jan 13, 2026affected < 8.18.8-r10fixed 8.18.8-r10
Improper Input Validation (CWE-20) in Kibana's Email Connector can allow an attacker to cause an Excessive Allocation (CAPEC-130) through a specially crafted email address parameter. This requires an attacker to have authenticated access with view-level privileges sufficient to e
- CVE-2026-0531Jan 13, 2026affected < 8.18.8-r10fixed 8.18.8-r10
Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana Fleet can lead to Excessive Allocation (CAPEC-130) via a specially crafted bulk retrieval request. This requires an attacker to have low-level privileges equivalent to the viewer role, which grants read acce
- CVE-2026-0530Jan 13, 2026affected < 8.18.8-r10fixed 8.18.8-r10
Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana Fleet can lead to Excessive Allocation (CAPEC-130) via a specially crafted request. This causes the application to perform redundant processing operations that continuously consume system resources until ser
- CVE-2025-68665Dec 23, 2025affected < 8.18.8-r6fixed 8.18.8-r6
LangChain is a framework for building LLM-powered applications. Prior to @langchain/core versions 0.3.80 and 1.1.8, and prior to langchain versions 0.3.37 and 1.2.3, a serialization injection vulnerability exists in LangChain JS's toJSON() method (and subsequently when string-ify
- CVE-2025-68422Dec 18, 2025affected < 8.18.8-r10fixed 8.18.8-r10
Improper Authorization (CWE-285) in Kibana can lead to privilege escalation (CAPEC-233) by allowing an authenticated user to bypass intended permission restrictions via a crafted HTTP request. This allows an attacker who lacks the live queries - read permission to successfully re
- CVE-2025-68386Dec 18, 2025affected < 8.18.8-r10fixed 8.18.8-r10
Improper Authorization (CWE-285) in Kibana can lead to privilege escalation (CAPEC-233) by allowing an authenticated user to change a document's sharing type to "global," even though they do not have permission to do so, making it visible to everyone in the space via a crafted a
- CVE-2025-68389Dec 18, 2025affected < 8.18.8-r10fixed 8.18.8-r10
Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana can allow a low-privileged authenticated user to cause Excessive Allocation (CAPEC-130) of computing resources and a denial of service (DoS) of the Kibana process via a crafted HTTP request.
- CVE-2025-68387Dec 18, 2025affected < 8.18.8-r10fixed 8.18.8-r10
Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an unauthenticated user to embed a malicious script in content that will be served to web browsers causing cross-site scripting (XSS) (CAPEC-63) via a vulnerability a function han
- CVE-2025-68385Dec 18, 2025affected < 8.18.8-r10fixed 8.18.8-r10
Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an authenticated user to embed a malicious script in content that will be served to web browsers causing cross-site scripting (XSS) (CAPEC-63) via a method in Vega bypassing a pre
- CVE-2025-14874Dec 18, 2025affected < 8.18.8-r3fixed 8.18.8-r3
A flaw was found in Nodemailer. This vulnerability allows a denial of service (DoS) via a crafted email address header that triggers infinite recursion in the address parser.
- CVE-2025-68154Dec 16, 2025affected < 0fixed 0
systeminformation is a System and OS information library for node.js. In versions prior to 5.27.14, the `fsSize()` function in systeminformation is vulnerable to OS command injection on Windows systems. The optional `drive` parameter is directly concatenated into a PowerShell com
- CVE-2025-37732Dec 15, 2025affected < 8.18.8-r10fixed 8.18.8-r10
Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an authenticated user to render HTML tags within a user’s browser via the integration package upload functionality. This issue is related to ESA-2025-17 (CVE-2025-25018) bypassing
- CVE-2025-65945Dec 4, 2025affected < 8.18.8-r4fixed 8.18.8-r4
auth0/node-jws is a JSON Web Signature implementation for Node.js. In versions 3.2.2 and earlier and version 4.0.0, auth0/node-jws has an improper signature verification vulnerability when using the HS256 algorithm under specific conditions. Applications are affected when they us
- CVE-2025-66030Nov 26, 2025affected < 8.18.8-r3fixed 8.18.8-r3
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. An Integer Overflow vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1 structures containing OIDs with oversized arcs.
- CVE-2025-66031Nov 26, 2025affected < 8.18.8-r3fixed 8.18.8-r3
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. An Uncontrolled Recursion vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft deep ASN.1 structures that trigger unbounded re
- CVE-2025-12816Nov 25, 2025affected < 8.18.8-r3fixed 8.18.8-r3
An interpretation-conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and earlier enables unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and s
- CVE-2025-64756Nov 17, 2025affected < 0fixed 0
Glob matches files using patterns the shell uses. Starting in version 10.2.0 and prior to versions 10.5.0 and 11.1.0, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names.
- affected < 8.18.8-r1fixed 8.18.8-r1
A vulnerability was identified in the email parsing library due to improper handling of specially formatted recipient email addresses. An attacker can exploit this flaw by crafting a recipient address that embeds an external address within quotes. This causes the application to m
- CVE-2025-64718Nov 13, 2025affected < 8.18.8-r2fixed 8.18.8-r2
js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (`__proto__`). All users who parse untrusted yaml documents may be impacted. T
Page 2 of 3