VYPR

Bitnami package

kibana

pkg:bitnami/kibana

Vulnerabilities (56)

  • CVE-2026-49095MedMay 28, 2026
    affected >= 8.0.0, < 8.19.16fixed 8.19.16

    Improper Input Validation (CWE-20) in the Kibana Fleet agent policy management feature can lead to privilege escalation. An authenticated user with Fleet management privileges can manipulate agent policy configuration by injecting values into a configuration override mechanism th

  • CVE-2026-49094MedMay 28, 2026
    affected >= 8.0.0, < 8.19.16fixed 8.19.16

    Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated user with viewer-level access can submit a request containing an oversized input value to an analytics collections management endpoint. Kiban

  • CVE-2026-49093MedMay 28, 2026
    affected >= 9.3.0, < 9.3.3fixed 9.3.3

    Server-Side Request Forgery (CWE-918) in Kibana can allow an authenticated user with connector management privileges to bypass the operator-configured connector allowlist, causing the Kibana server to issue outbound requests to destinations the egress controls were intended to bl

  • CVE-2026-42400MedMay 28, 2026
    affected >= 8.0.0, < 8.19.16fixed 8.19.16

    Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated user can send a specially crafted compressed request payload that is processed prior to authorization checks, causing excessive memory and CP

  • CVE-2026-42399MedMay 28, 2026
    affected >= 8.0.0, < 8.19.16fixed 8.19.16

    Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated low-privileged user can cause Kibana to consume exponentially increasing amounts of memory by submitting a specially crafted Timelion visuali

  • CVE-2026-42398HigMay 28, 2026
    affected >= 9.0.0, < 9.2.8fixed 9.2.8

    Server-Side Request Forgery (CWE-918) in Kibana allows authenticated users with connector management privileges to bypass the operator-configured connection allowlist. By configuring a Webhook connector with a crafted target, an attacker can cause Kibana to issue outbound request

  • CVE-2026-42401MedMay 28, 2026
    affected >= 8.0.0, < 8.19.16fixed 8.19.16

    Improper Neutralization of Input During Web Page Generation (CWE-79) in Kibana can lead to stored HTML injection. A user with write access to an Elasticsearch index could persist crafted markup which, when subsequently rendered through an affected Kibana view by another user, was

  • CVE-2026-33464MedMay 28, 2026
    affected < 9.4.2fixed 9.4.2

    Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to a denial of service via Excessive Allocation (CAPEC-130). An authenticated user holding a low-privileged role can submit a specially crafted, oversized payload to an internal Kibana API, causing the Kibana process

  • CVE-2026-33463MedMay 28, 2026
    affected >= 8.0.0, < 8.19.16fixed 8.19.16

    Operation on a Resource after Expiration or Termination (CWE-672) in Kibana can lead to unauthorized information disclosure. A logic error in how expiration timestamps were validated allowed a time-bounded access token to remain usable beyond its intended validity window, enablin

  • CVE-2026-33462MedMay 28, 2026
    affected >= 8.0.0, < 8.19.16fixed 8.19.16

    A path traversal vulnerability was identified in Kibana's dashboard management functionality. An authenticated user with limited permissions could create a dashboard with a specially crafted identifier. When an administrator subsequently attempts to delete this dashboard through

  • CVE-2026-33459MedApr 8, 2026
    affected >= 8.0.0, < 8.19.14fixed 8.19.14

    Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated user with access to the automatic import feature can submit specially crafted requests with excessively large input values. When multiple suc

  • CVE-2026-33458MedApr 8, 2026
    affected >= 9.3.0, < 9.3.3fixed 9.3.3

    Server-Side Request Forgery (CWE-918) in Kibana One Workflow can lead to information disclosure. An authenticated user with workflow creation and execution privileges can bypass host allowlist restrictions in the Workflows Execution Engine, potentially exposing sensitive internal

  • CVE-2026-4498HigApr 8, 2026
    affected >= 8.0.0, < 8.19.14fixed 8.19.14

    Execution with Unnecessary Privileges (CWE-250) in Kibana’s Fleet plugin debug route handlers can lead reading index data beyond their direct Elasticsearch RBAC scope via Privilege Abuse (CAPEC-122). This requires an authenticated Kibana user with Fleet sub-feature privileges (su

  • CVE-2026-33461HigApr 8, 2026
    affected >= 8.0.0, < 8.19.14fixed 8.19.14

    Incorrect Authorization (CWE-863) in Kibana can lead to information disclosure via Privilege Abuse (CAPEC-122). A user with limited Fleet privileges can exploit an internal API endpoint to retrieve sensitive configuration data, including private keys and authentication tokens, th

  • CVE-2026-33460MedApr 8, 2026
    affected >= 8.0.0, < 8.19.14fixed 8.19.14

    Incorrect Authorization (CWE-863) in Kibana can lead to cross-space information disclosure via Privilege Abuse (CAPEC-122). A user with Fleet agent management privileges in one Kibana space can retrieve Fleet Server policy details from other spaces through an internal enrollment

  • CVE-2026-26938Feb 26, 2026
    affected >= 9.3.0, < 9.3.1fixed 9.3.1

    Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) exists in Workflows in Kibana which could allow an attacker to read arbitrary files from the Kibana server filesystem, and perform Server-Side Request Forgery (SSRF) via Code Injection (CAPEC-242). T

  • CVE-2026-26937Feb 26, 2026
    affected >= 8.0.0, < 8.19.11fixed 8.19.11

    Uncontrolled Resource Consumption (CWE-400) in the Timelion component in Kibana can lead Denial of Service via Input Data Manipulation (CAPEC-153)

  • CVE-2026-26936Feb 26, 2026
    affected >= 8.0.0, < 8.19.11fixed 8.19.11

    Inefficient Regular Expression Complexity (CWE-1333) in the AI Inference Anonymization Engine in Kibana can lead Denial of Service via Regular Expression Exponential Blowup (CAPEC-492).

  • CVE-2026-26935Feb 26, 2026
    affected >= 8.4.0, < 8.19.12fixed 8.19.12

    Improper Input Validation (CWE-20) in the internal Content Connectors search endpoint in Kibana can lead Denial of Service via Input Data Manipulation (CAPEC-153)

  • CVE-2026-26934Feb 26, 2026
    affected >= 8.18.0, < 8.19.12fixed 8.19.12

    Improper Validation of Specified Quantity in Input (CWE-1284) in Kibana can allow an authenticated attacker with view-only privileges to cause a Denial of Service via Input Data Manipulation (CAPEC-153). An attacker can send a specially crafted, malformed payload causing excessiv

Page 1 of 3