VYPR

Bitnami package

elk

pkg:bitnami/elk

Vulnerabilities (56)

  • CVE-2026-0532HigJan 14, 2026
    affected < 8.19.10fixed 8.19.10

    External Control of File Name or Path (CWE-73) combined with Server-Side Request Forgery (CWE-918) can allow an attacker to cause arbitrary file disclosure through a specially crafted credentials JSON payload in the Google Gemini connector configuration. This requires an attacker

  • CVE-2026-0543Jan 13, 2026
    affected < 8.19.10fixed 8.19.10

    Improper Input Validation (CWE-20) in Kibana's Email Connector can allow an attacker to cause an Excessive Allocation (CAPEC-130) through a specially crafted email address parameter. This requires an attacker to have authenticated access with view-level privileges sufficient to e

  • CVE-2026-0531Jan 13, 2026
    affected < 8.19.10fixed 8.19.10

    Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana Fleet can lead to Excessive Allocation (CAPEC-130) via a specially crafted bulk retrieval request. This requires an attacker to have low-level privileges equivalent to the viewer role, which grants read acce

  • CVE-2026-0530Jan 13, 2026
    affected < 8.19.10fixed 8.19.10

    Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana Fleet can lead to Excessive Allocation (CAPEC-130) via a specially crafted request. This causes the application to perform redundant processing operations that continuously consume system resources until ser

  • CVE-2025-68422Dec 18, 2025
    affected < 8.19.7fixed 8.19.7

    Improper Authorization (CWE-285) in Kibana can lead to privilege escalation (CAPEC-233) by allowing an authenticated user to bypass intended permission restrictions via a crafted HTTP request. This allows an attacker who lacks the live queries - read permission to successfully re

  • CVE-2025-68386Dec 18, 2025
    affected < 8.19.8fixed 8.19.8

    Improper Authorization (CWE-285) in Kibana can lead to privilege escalation (CAPEC-233) by allowing an authenticated user to change a document's sharing type to "global," even though they do not have permission to do so, making it visible to everyone in the space via a crafted a

  • CVE-2025-68389Dec 18, 2025
    affected < 8.19.9fixed 8.19.9

    Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana can allow a low-privileged authenticated user to cause Excessive Allocation (CAPEC-130) of computing resources and a denial of service (DoS) of the Kibana process via a crafted HTTP request.

  • CVE-2025-68387Dec 18, 2025
    affected < 8.19.9fixed 8.19.9

    Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an unauthenticated user to embed a malicious script in content that will be served to web browsers causing cross-site scripting (XSS) (CAPEC-63) via a vulnerability a function han

  • CVE-2025-68385Dec 18, 2025
    affected < 8.19.9fixed 8.19.9

    Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an authenticated user to embed a malicious script in content that will be served to web browsers causing cross-site scripting (XSS) (CAPEC-63) via a method in Vega bypassing a pre

  • CVE-2025-37732Dec 15, 2025
    affected < 8.19.8fixed 8.19.8

    Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an authenticated user to render HTML tags within a user’s browser via the integration package upload functionality. This issue is related to ESA-2025-17 (CVE-2025-25018) bypassing

  • CVE-2025-37734MedNov 12, 2025
    affected >= 8.12.0, < 8.19.7fixed 8.19.7

    Origin Validation Error in Kibana can lead to Server-Side Request Forgery via a forged Origin HTTP header processed by the Observability AI Assistant.

  • CVE-2025-25018HigOct 10, 2025
    affected < 8.18.8fixed 8.18.8

    Improper Neutralization of Input During Web Page Generation in Kibana can lead to stored Cross-Site Scripting (XSS)

  • CVE-2025-25017HigOct 10, 2025
    affected < 8.18.8fixed 8.18.8

    Improper Neutralization of Input During Web Page Generation in Kibana can lead to Cross-Site Scripting (XSS)

  • CVE-2025-37728MedOct 7, 2025
    affected < 8.18.8fixed 8.18.8

    Insufficiently Protected Credentials in the Crowdstrike connector can lead to Crowdstrike credentials being leaked. A malicious user can access cached credentials from a Crowdstrike connector in another space by creating and running a Crowdstrike connector in a space to which the

  • CVE-2025-25009HigOct 7, 2025
    affected < 8.18.8fixed 8.18.8

    Improper Neutralization of Input During Web Page Generation in Kibana can lead to Stored XSS via case file upload.

  • CVE-2025-25010MedAug 28, 2025
    affected >= 9.0.0, < 9.0.6fixed 9.0.6

    Incorrect authorization in Kibana can lead to privilege escalation via the built-in reporting_user role which incorrectly has the ability to access all Kibana Spaces.

  • CVE-2025-25012MedJun 25, 2025
    affected >= 7.0.0, < 7.17.29fixed 7.17.29

    URL redirection to an untrusted site ('Open Redirect') in Kibana can lead to sending a user to an arbitrary site and server-side request forgery via a specially crafted URL.

  • CVE-2024-43706HigJun 10, 2025
    affected >= 8.12.0, < 8.12.1fixed 8.12.1

    Improper authorization in Kibana can lead to privilege abuse via a direct HTTP request to a Synthetic monitor endpoint.

  • CVE-2025-25014CriMay 6, 2025
    affected >= 8.3.0, < 8.18.1fixed 8.18.1

    A Prototype pollution vulnerability in Kibana leads to arbitrary code execution via crafted HTTP requests to machine learning and reporting endpoints.

  • CVE-2025-25016MedMay 1, 2025
    affected >= 7.17.0, < 7.17.18fixed 7.17.18

    Unrestricted file upload in Kibana allows an authenticated attacker to compromise software integrity by uploading a crafted malicious file due to insufficient server-side validation.