Bitnami package
kibana
pkg:bitnami/kibana
Vulnerabilities (56)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-0532 | Hig | 8.6 | < 8.19.10 | 8.19.10 | Jan 14, 2026 | External Control of File Name or Path (CWE-73) combined with Server-Side Request Forgery (CWE-918) can allow an attacker to cause arbitrary file disclosure through a specially crafted credentials JSON payload in the Google Gemini connector configuration. This requires an attacker | |
| CVE-2026-0543 | — | < 8.19.10 | 8.19.10 | Jan 13, 2026 | Improper Input Validation (CWE-20) in Kibana's Email Connector can allow an attacker to cause an Excessive Allocation (CAPEC-130) through a specially crafted email address parameter. This requires an attacker to have authenticated access with view-level privileges sufficient to e | ||
| CVE-2026-0531 | — | < 8.19.10 | 8.19.10 | Jan 13, 2026 | Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana Fleet can lead to Excessive Allocation (CAPEC-130) via a specially crafted bulk retrieval request. This requires an attacker to have low-level privileges equivalent to the viewer role, which grants read acce | ||
| CVE-2026-0530 | — | < 8.19.10 | 8.19.10 | Jan 13, 2026 | Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana Fleet can lead to Excessive Allocation (CAPEC-130) via a specially crafted request. This causes the application to perform redundant processing operations that continuously consume system resources until ser | ||
| CVE-2025-68422 | — | < 8.19.7 | 8.19.7 | Dec 18, 2025 | Improper Authorization (CWE-285) in Kibana can lead to privilege escalation (CAPEC-233) by allowing an authenticated user to bypass intended permission restrictions via a crafted HTTP request. This allows an attacker who lacks the live queries - read permission to successfully re | ||
| CVE-2025-68386 | — | < 8.19.8 | 8.19.8 | Dec 18, 2025 | Improper Authorization (CWE-285) in Kibana can lead to privilege escalation (CAPEC-233) by allowing an authenticated user to change a document's sharing type to "global," even though they do not have permission to do so, making it visible to everyone in the space via a crafted a | ||
| CVE-2025-68389 | — | < 8.19.9 | 8.19.9 | Dec 18, 2025 | Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana can allow a low-privileged authenticated user to cause Excessive Allocation (CAPEC-130) of computing resources and a denial of service (DoS) of the Kibana process via a crafted HTTP request. | ||
| CVE-2025-68387 | — | < 8.19.9 | 8.19.9 | Dec 18, 2025 | Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an unauthenticated user to embed a malicious script in content that will be served to web browsers causing cross-site scripting (XSS) (CAPEC-63) via a vulnerability a function han | ||
| CVE-2025-68385 | — | < 8.19.9 | 8.19.9 | Dec 18, 2025 | Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an authenticated user to embed a malicious script in content that will be served to web browsers causing cross-site scripting (XSS) (CAPEC-63) via a method in Vega bypassing a pre | ||
| CVE-2025-37732 | — | < 8.19.8 | 8.19.8 | Dec 15, 2025 | Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an authenticated user to render HTML tags within a user’s browser via the integration package upload functionality. This issue is related to ESA-2025-17 (CVE-2025-25018) bypassing | ||
| CVE-2025-37734 | — | >= 8.12.0, < 8.19.7 | 8.19.7 | Nov 12, 2025 | Origin Validation Error in Kibana can lead to Server-Side Request Forgery via a forged Origin HTTP header processed by the Observability AI Assistant. | ||
| CVE-2025-25017 | — | < 8.18.8 | 8.18.8 | Oct 10, 2025 | Improper Neutralization of Input During Web Page Generation in Kibana can lead to Cross-Site Scripting (XSS) | ||
| CVE-2025-25018 | — | < 8.18.8 | 8.18.8 | Oct 10, 2025 | Improper Neutralization of Input During Web Page Generation in Kibana can lead to stored Cross-Site Scripting (XSS) | ||
| CVE-2025-37728 | Med | 5.4 | < 8.18.8 | 8.18.8 | Oct 7, 2025 | Insufficiently Protected Credentials in the Crowdstrike connector can lead to Crowdstrike credentials being leaked. A malicious user can access cached credentials from a Crowdstrike connector in another space by creating and running a Crowdstrike connector in a space to which the | |
| CVE-2025-25009 | — | < 8.18.8 | 8.18.8 | Oct 7, 2025 | Improper Neutralization of Input During Web Page Generation in Kibana can lead to Stored XSS via case file upload. | ||
| CVE-2025-25010 | — | >= 9.0.0, < 9.0.6 | 9.0.6 | Aug 28, 2025 | Incorrect authorization in Kibana can lead to privilege escalation via the built-in reporting_user role which incorrectly has the ability to access all Kibana Spaces. | ||
| CVE-2025-25012 | — | >= 7.0.0, < 7.17.29 | 7.17.29 | Jun 25, 2025 | URL redirection to an untrusted site ('Open Redirect') in Kibana can lead to sending a user to an arbitrary site and server-side request forgery via a specially crafted URL. | ||
| CVE-2024-43706 | — | >= 8.12.0, < 8.12.1 | 8.12.1 | Jun 10, 2025 | Improper authorization in Kibana can lead to privilege abuse via a direct HTTP request to a Synthetic monitor endpoint. | ||
| CVE-2025-25014 | — | >= 8.3.0, < 8.17.6 | 8.17.6 | May 6, 2025 | A Prototype pollution vulnerability in Kibana leads to arbitrary code execution via crafted HTTP requests to machine learning and reporting endpoints. | ||
| CVE-2024-11390 | — | >= 7.17.6, < 7.17.23 | 7.17.23 | May 1, 2025 | Unrestricted upload of a file with dangerous type in Kibana can lead to arbitrary JavaScript execution in a victim’s browser (XSS) via crafted HTML and JavaScript files. The attacker must have access to the Synthetics app AND/OR have access to write to the synthetics indices. |
- affected < 8.19.10fixed 8.19.10
External Control of File Name or Path (CWE-73) combined with Server-Side Request Forgery (CWE-918) can allow an attacker to cause arbitrary file disclosure through a specially crafted credentials JSON payload in the Google Gemini connector configuration. This requires an attacker
- CVE-2026-0543Jan 13, 2026affected < 8.19.10fixed 8.19.10
Improper Input Validation (CWE-20) in Kibana's Email Connector can allow an attacker to cause an Excessive Allocation (CAPEC-130) through a specially crafted email address parameter. This requires an attacker to have authenticated access with view-level privileges sufficient to e
- CVE-2026-0531Jan 13, 2026affected < 8.19.10fixed 8.19.10
Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana Fleet can lead to Excessive Allocation (CAPEC-130) via a specially crafted bulk retrieval request. This requires an attacker to have low-level privileges equivalent to the viewer role, which grants read acce
- CVE-2026-0530Jan 13, 2026affected < 8.19.10fixed 8.19.10
Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana Fleet can lead to Excessive Allocation (CAPEC-130) via a specially crafted request. This causes the application to perform redundant processing operations that continuously consume system resources until ser
- CVE-2025-68422Dec 18, 2025affected < 8.19.7fixed 8.19.7
Improper Authorization (CWE-285) in Kibana can lead to privilege escalation (CAPEC-233) by allowing an authenticated user to bypass intended permission restrictions via a crafted HTTP request. This allows an attacker who lacks the live queries - read permission to successfully re
- CVE-2025-68386Dec 18, 2025affected < 8.19.8fixed 8.19.8
Improper Authorization (CWE-285) in Kibana can lead to privilege escalation (CAPEC-233) by allowing an authenticated user to change a document's sharing type to "global," even though they do not have permission to do so, making it visible to everyone in the space via a crafted a
- CVE-2025-68389Dec 18, 2025affected < 8.19.9fixed 8.19.9
Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana can allow a low-privileged authenticated user to cause Excessive Allocation (CAPEC-130) of computing resources and a denial of service (DoS) of the Kibana process via a crafted HTTP request.
- CVE-2025-68387Dec 18, 2025affected < 8.19.9fixed 8.19.9
Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an unauthenticated user to embed a malicious script in content that will be served to web browsers causing cross-site scripting (XSS) (CAPEC-63) via a vulnerability a function han
- CVE-2025-68385Dec 18, 2025affected < 8.19.9fixed 8.19.9
Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an authenticated user to embed a malicious script in content that will be served to web browsers causing cross-site scripting (XSS) (CAPEC-63) via a method in Vega bypassing a pre
- CVE-2025-37732Dec 15, 2025affected < 8.19.8fixed 8.19.8
Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an authenticated user to render HTML tags within a user’s browser via the integration package upload functionality. This issue is related to ESA-2025-17 (CVE-2025-25018) bypassing
- CVE-2025-37734Nov 12, 2025affected >= 8.12.0, < 8.19.7fixed 8.19.7
Origin Validation Error in Kibana can lead to Server-Side Request Forgery via a forged Origin HTTP header processed by the Observability AI Assistant.
- CVE-2025-25017Oct 10, 2025affected < 8.18.8fixed 8.18.8
Improper Neutralization of Input During Web Page Generation in Kibana can lead to Cross-Site Scripting (XSS)
- CVE-2025-25018Oct 10, 2025affected < 8.18.8fixed 8.18.8
Improper Neutralization of Input During Web Page Generation in Kibana can lead to stored Cross-Site Scripting (XSS)
- affected < 8.18.8fixed 8.18.8
Insufficiently Protected Credentials in the Crowdstrike connector can lead to Crowdstrike credentials being leaked. A malicious user can access cached credentials from a Crowdstrike connector in another space by creating and running a Crowdstrike connector in a space to which the
- CVE-2025-25009Oct 7, 2025affected < 8.18.8fixed 8.18.8
Improper Neutralization of Input During Web Page Generation in Kibana can lead to Stored XSS via case file upload.
- CVE-2025-25010Aug 28, 2025affected >= 9.0.0, < 9.0.6fixed 9.0.6
Incorrect authorization in Kibana can lead to privilege escalation via the built-in reporting_user role which incorrectly has the ability to access all Kibana Spaces.
- CVE-2025-25012Jun 25, 2025affected >= 7.0.0, < 7.17.29fixed 7.17.29
URL redirection to an untrusted site ('Open Redirect') in Kibana can lead to sending a user to an arbitrary site and server-side request forgery via a specially crafted URL.
- CVE-2024-43706Jun 10, 2025affected >= 8.12.0, < 8.12.1fixed 8.12.1
Improper authorization in Kibana can lead to privilege abuse via a direct HTTP request to a Synthetic monitor endpoint.
- CVE-2025-25014May 6, 2025affected >= 8.3.0, < 8.17.6fixed 8.17.6
A Prototype pollution vulnerability in Kibana leads to arbitrary code execution via crafted HTTP requests to machine learning and reporting endpoints.
- CVE-2024-11390May 1, 2025affected >= 7.17.6, < 7.17.23fixed 7.17.23
Unrestricted upload of a file with dangerous type in Kibana can lead to arbitrary JavaScript execution in a victim’s browser (XSS) via crafted HTML and JavaScript files. The attacker must have access to the Synthetics app AND/OR have access to write to the synthetics indices.
Page 2 of 3