Kibana
by Elastic
Source repositories
CVEs (115)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2016-1000218 | Hig | 0.57 | 8.8 | 0.01 | Jun 16, 2017 | Kibana Reporting plugin version 2.4.0 is vulnerable to a CSRF vulnerability that could allow an attacker to generate superfluous reports whenever an authenticated Kibana user navigates to a specially-crafted page. | ||
| CVE-2017-8452 | Hig | 0.49 | 7.5 | 0.01 | Jun 16, 2017 | Kibana versions prior to 5.2.1 configured for SSL client access, file descriptors will fail to be cleaned up after certain requests and will accumulate over time until the process crashes. | ||
| CVE-2016-1000219 | Hig | 0.49 | 7.5 | 0.02 | Jun 16, 2017 | Kibana before 4.5.4 and 4.1.11 when a custom output is configured for logging in, cookies and authorization headers could be written to the log files. This information could be used to hijack sessions of other users when using Kibana behind some form of authentication such as… | ||
| CVE-2026-42398 | Hig | 0.43 | 7.7 | 0.00 | May 28, 2026 | Server-Side Request Forgery (CWE-918) in Kibana allows authenticated users with connector management privileges to bypass the operator-configured connection allowlist. By configuring a Webhook connector with a crafted target, an attacker can cause Kibana to issue outbound… | ||
| CVE-2026-4498 | Hig | 0.43 | 7.7 | 0.00 | Apr 8, 2026 | Execution with Unnecessary Privileges (CWE-250) in Kibana’s Fleet plugin debug route handlers can lead reading index data beyond their direct Elasticsearch RBAC scope via Privilege Abuse (CAPEC-122). This requires an authenticated Kibana user with Fleet sub-feature privileges… | ||
| CVE-2026-33461 | Hig | 0.43 | 7.7 | 0.00 | Apr 8, 2026 | Incorrect Authorization (CWE-863) in Kibana can lead to information disclosure via Privilege Abuse (CAPEC-122). A user with limited Fleet privileges can exploit an internal API endpoint to retrieve sensitive configuration data, including private keys and authentication tokens,… | ||
| CVE-2026-49095 | Med | 0.42 | 6.5 | 0.00 | May 28, 2026 | Improper Input Validation (CWE-20) in the Kibana Fleet agent policy management feature can lead to privilege escalation. An authenticated user with Fleet management privileges can manipulate agent policy configuration by injecting values into a configuration override mechanism… | ||
| CVE-2026-33464 | Med | 0.42 | 6.5 | 0.00 | May 28, 2026 | Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to a denial of service via Excessive Allocation (CAPEC-130). An authenticated user holding a low-privileged role can submit a specially crafted, oversized payload to an internal Kibana API, causing the Kibana process… | ||
| CVE-2017-8443 | Med | 0.42 | 6.5 | 0.01 | Jun 30, 2017 | In Kibana X-Pack security versions prior to 5.4.3 if a Kibana user opens a crafted Kibana URL the result could be a redirect to an improperly initialized Kibana login screen. If the user enters credentials on this screen, the credentials will appear in the URL bar. The… | ||
| CVE-2016-10364 | Med | 0.42 | 6.5 | 0.01 | Jun 16, 2017 | With X-Pack installed, Kibana versions 5.0.0 and 5.0.1 were not properly authenticating requests to advanced settings and the short URL service, any authenticated user could make requests to those services regardless of their own permissions. | ||
| CVE-2018-3830 | Med | 0.40 | 6.1 | 0.02 | Sep 19, 2018 | Kibana versions 5.3.0 to 6.4.1 had a cross-site scripting (XSS) vulnerability via the source field formatter that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users. | ||
| CVE-2018-3821 | Med | 0.40 | 6.1 | 0.01 | Mar 30, 2018 | Kibana versions after 5.1.1 and before 5.6.7 and 6.1.3 had a cross-site scripting (XSS) vulnerability in the tag cloud visualization that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users. | ||
| CVE-2018-3820 | Med | 0.40 | 6.1 | 0.01 | Mar 30, 2018 | Kibana versions after 6.1.0 and before 6.1.3 had a cross-site scripting (XSS) vulnerability in labs visualizations that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users. | ||
| CVE-2018-3819 | Med | 0.40 | 6.1 | 0.01 | Mar 30, 2018 | The fix in Kibana for ESA-2017-23 was incomplete. With X-Pack security enabled, Kibana versions before 6.1.3 and 5.6.7 have an open redirect vulnerability on the login page that would enable an attacker to craft a link that redirects to an arbitrary website. | ||
| CVE-2018-3818 | Med | 0.40 | 6.1 | 0.01 | Mar 30, 2018 | Kibana versions 5.1.1 to 6.1.2 and 5.6.6 had a cross-site scripting (XSS) vulnerability via the colored fields formatter that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users. | ||
| CVE-2017-11482 | Med | 0.40 | 6.1 | 0.01 | Dec 8, 2017 | The Kibana fix for CVE-2017-8451 was found to be incomplete. With X-Pack installed, Kibana versions before 6.0.1 and 5.6.5 have an open redirect vulnerability on the login page that would enable an attacker to craft a link that redirects to an arbitrary website. | ||
| CVE-2017-11481 | Med | 0.40 | 6.1 | 0.01 | Dec 8, 2017 | Kibana versions prior to 6.0.1 and 5.6.5 had a cross-site scripting (XSS) vulnerability via URL fields that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users. | ||
| CVE-2017-11479 | Med | 0.40 | 6.1 | 0.01 | Sep 29, 2017 | Kibana versions prior to 5.6.1 had a cross-site scripting (XSS) vulnerability in Timelion that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users. | ||
| CVE-2017-8451 | Med | 0.40 | 6.1 | 0.01 | Jun 16, 2017 | With X-Pack installed, Kibana versions before 5.3.1 have an open redirect vulnerability on the login page that would enable an attacker to craft a link that redirects to an arbitrary website. | ||
| CVE-2016-10366 | Med | 0.40 | 6.1 | 0.01 | Jun 16, 2017 | Kibana versions after and including 4.3 and before 4.6.2 are vulnerable to a cross-site scripting (XSS) attack. |
- risk 0.57cvss 8.8epss 0.01
Kibana Reporting plugin version 2.4.0 is vulnerable to a CSRF vulnerability that could allow an attacker to generate superfluous reports whenever an authenticated Kibana user navigates to a specially-crafted page.
- risk 0.49cvss 7.5epss 0.01
Kibana versions prior to 5.2.1 configured for SSL client access, file descriptors will fail to be cleaned up after certain requests and will accumulate over time until the process crashes.
- risk 0.49cvss 7.5epss 0.02
Kibana before 4.5.4 and 4.1.11 when a custom output is configured for logging in, cookies and authorization headers could be written to the log files. This information could be used to hijack sessions of other users when using Kibana behind some form of authentication such as…
- risk 0.43cvss 7.7epss 0.00
Server-Side Request Forgery (CWE-918) in Kibana allows authenticated users with connector management privileges to bypass the operator-configured connection allowlist. By configuring a Webhook connector with a crafted target, an attacker can cause Kibana to issue outbound…
- risk 0.43cvss 7.7epss 0.00
Execution with Unnecessary Privileges (CWE-250) in Kibana’s Fleet plugin debug route handlers can lead reading index data beyond their direct Elasticsearch RBAC scope via Privilege Abuse (CAPEC-122). This requires an authenticated Kibana user with Fleet sub-feature privileges…
- risk 0.43cvss 7.7epss 0.00
Incorrect Authorization (CWE-863) in Kibana can lead to information disclosure via Privilege Abuse (CAPEC-122). A user with limited Fleet privileges can exploit an internal API endpoint to retrieve sensitive configuration data, including private keys and authentication tokens,…
- risk 0.42cvss 6.5epss 0.00
Improper Input Validation (CWE-20) in the Kibana Fleet agent policy management feature can lead to privilege escalation. An authenticated user with Fleet management privileges can manipulate agent policy configuration by injecting values into a configuration override mechanism…
- risk 0.42cvss 6.5epss 0.00
Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to a denial of service via Excessive Allocation (CAPEC-130). An authenticated user holding a low-privileged role can submit a specially crafted, oversized payload to an internal Kibana API, causing the Kibana process…
- risk 0.42cvss 6.5epss 0.01
In Kibana X-Pack security versions prior to 5.4.3 if a Kibana user opens a crafted Kibana URL the result could be a redirect to an improperly initialized Kibana login screen. If the user enters credentials on this screen, the credentials will appear in the URL bar. The…
- risk 0.42cvss 6.5epss 0.01
With X-Pack installed, Kibana versions 5.0.0 and 5.0.1 were not properly authenticating requests to advanced settings and the short URL service, any authenticated user could make requests to those services regardless of their own permissions.
- risk 0.40cvss 6.1epss 0.02
Kibana versions 5.3.0 to 6.4.1 had a cross-site scripting (XSS) vulnerability via the source field formatter that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.
- risk 0.40cvss 6.1epss 0.01
Kibana versions after 5.1.1 and before 5.6.7 and 6.1.3 had a cross-site scripting (XSS) vulnerability in the tag cloud visualization that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.
- risk 0.40cvss 6.1epss 0.01
Kibana versions after 6.1.0 and before 6.1.3 had a cross-site scripting (XSS) vulnerability in labs visualizations that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.
- risk 0.40cvss 6.1epss 0.01
The fix in Kibana for ESA-2017-23 was incomplete. With X-Pack security enabled, Kibana versions before 6.1.3 and 5.6.7 have an open redirect vulnerability on the login page that would enable an attacker to craft a link that redirects to an arbitrary website.
- risk 0.40cvss 6.1epss 0.01
Kibana versions 5.1.1 to 6.1.2 and 5.6.6 had a cross-site scripting (XSS) vulnerability via the colored fields formatter that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.
- risk 0.40cvss 6.1epss 0.01
The Kibana fix for CVE-2017-8451 was found to be incomplete. With X-Pack installed, Kibana versions before 6.0.1 and 5.6.5 have an open redirect vulnerability on the login page that would enable an attacker to craft a link that redirects to an arbitrary website.
- risk 0.40cvss 6.1epss 0.01
Kibana versions prior to 6.0.1 and 5.6.5 had a cross-site scripting (XSS) vulnerability via URL fields that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.
- risk 0.40cvss 6.1epss 0.01
Kibana versions prior to 5.6.1 had a cross-site scripting (XSS) vulnerability in Timelion that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.
- risk 0.40cvss 6.1epss 0.01
With X-Pack installed, Kibana versions before 5.3.1 have an open redirect vulnerability on the login page that would enable an attacker to craft a link that redirects to an arbitrary website.
- risk 0.40cvss 6.1epss 0.01
Kibana versions after and including 4.3 and before 4.6.2 are vulnerable to a cross-site scripting (XSS) attack.
Page 1 of 6