VYPR

Kibana

by Elastic

npm: kibana

Source repositories

CVEs (115)

  • CVE-2016-1000218HigJun 16, 2017
    risk 0.57cvss 8.8epss 0.01

    Kibana Reporting plugin version 2.4.0 is vulnerable to a CSRF vulnerability that could allow an attacker to generate superfluous reports whenever an authenticated Kibana user navigates to a specially-crafted page.

  • CVE-2017-8452HigJun 16, 2017
    risk 0.49cvss 7.5epss 0.01

    Kibana versions prior to 5.2.1 configured for SSL client access, file descriptors will fail to be cleaned up after certain requests and will accumulate over time until the process crashes.

  • CVE-2016-1000219HigJun 16, 2017
    risk 0.49cvss 7.5epss 0.02

    Kibana before 4.5.4 and 4.1.11 when a custom output is configured for logging in, cookies and authorization headers could be written to the log files. This information could be used to hijack sessions of other users when using Kibana behind some form of authentication such as…

  • CVE-2026-42398HigMay 28, 2026
    risk 0.43cvss 7.7epss 0.00

    Server-Side Request Forgery (CWE-918) in Kibana allows authenticated users with connector management privileges to bypass the operator-configured connection allowlist. By configuring a Webhook connector with a crafted target, an attacker can cause Kibana to issue outbound…

  • CVE-2026-4498HigApr 8, 2026
    risk 0.43cvss 7.7epss 0.00

    Execution with Unnecessary Privileges (CWE-250) in Kibana’s Fleet plugin debug route handlers can lead reading index data beyond their direct Elasticsearch RBAC scope via Privilege Abuse (CAPEC-122). This requires an authenticated Kibana user with Fleet sub-feature privileges…

  • CVE-2026-33461HigApr 8, 2026
    risk 0.43cvss 7.7epss 0.00

    Incorrect Authorization (CWE-863) in Kibana can lead to information disclosure via Privilege Abuse (CAPEC-122). A user with limited Fleet privileges can exploit an internal API endpoint to retrieve sensitive configuration data, including private keys and authentication tokens,…

  • CVE-2026-49095MedMay 28, 2026
    risk 0.42cvss 6.5epss 0.00

    Improper Input Validation (CWE-20) in the Kibana Fleet agent policy management feature can lead to privilege escalation. An authenticated user with Fleet management privileges can manipulate agent policy configuration by injecting values into a configuration override mechanism…

  • CVE-2026-33464MedMay 28, 2026
    risk 0.42cvss 6.5epss 0.00

    Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to a denial of service via Excessive Allocation (CAPEC-130). An authenticated user holding a low-privileged role can submit a specially crafted, oversized payload to an internal Kibana API, causing the Kibana process…

  • CVE-2017-8443MedJun 30, 2017
    risk 0.42cvss 6.5epss 0.01

    In Kibana X-Pack security versions prior to 5.4.3 if a Kibana user opens a crafted Kibana URL the result could be a redirect to an improperly initialized Kibana login screen. If the user enters credentials on this screen, the credentials will appear in the URL bar. The…

  • CVE-2016-10364MedJun 16, 2017
    risk 0.42cvss 6.5epss 0.01

    With X-Pack installed, Kibana versions 5.0.0 and 5.0.1 were not properly authenticating requests to advanced settings and the short URL service, any authenticated user could make requests to those services regardless of their own permissions.

  • CVE-2018-3830MedSep 19, 2018
    risk 0.40cvss 6.1epss 0.02

    Kibana versions 5.3.0 to 6.4.1 had a cross-site scripting (XSS) vulnerability via the source field formatter that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.

  • CVE-2018-3821MedMar 30, 2018
    risk 0.40cvss 6.1epss 0.01

    Kibana versions after 5.1.1 and before 5.6.7 and 6.1.3 had a cross-site scripting (XSS) vulnerability in the tag cloud visualization that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.

  • CVE-2018-3820MedMar 30, 2018
    risk 0.40cvss 6.1epss 0.01

    Kibana versions after 6.1.0 and before 6.1.3 had a cross-site scripting (XSS) vulnerability in labs visualizations that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.

  • CVE-2018-3819MedMar 30, 2018
    risk 0.40cvss 6.1epss 0.01

    The fix in Kibana for ESA-2017-23 was incomplete. With X-Pack security enabled, Kibana versions before 6.1.3 and 5.6.7 have an open redirect vulnerability on the login page that would enable an attacker to craft a link that redirects to an arbitrary website.

  • CVE-2018-3818MedMar 30, 2018
    risk 0.40cvss 6.1epss 0.01

    Kibana versions 5.1.1 to 6.1.2 and 5.6.6 had a cross-site scripting (XSS) vulnerability via the colored fields formatter that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.

  • CVE-2017-11482MedDec 8, 2017
    risk 0.40cvss 6.1epss 0.01

    The Kibana fix for CVE-2017-8451 was found to be incomplete. With X-Pack installed, Kibana versions before 6.0.1 and 5.6.5 have an open redirect vulnerability on the login page that would enable an attacker to craft a link that redirects to an arbitrary website.

  • CVE-2017-11481MedDec 8, 2017
    risk 0.40cvss 6.1epss 0.01

    Kibana versions prior to 6.0.1 and 5.6.5 had a cross-site scripting (XSS) vulnerability via URL fields that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.

  • CVE-2017-11479MedSep 29, 2017
    risk 0.40cvss 6.1epss 0.01

    Kibana versions prior to 5.6.1 had a cross-site scripting (XSS) vulnerability in Timelion that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.

  • CVE-2017-8451MedJun 16, 2017
    risk 0.40cvss 6.1epss 0.01

    With X-Pack installed, Kibana versions before 5.3.1 have an open redirect vulnerability on the login page that would enable an attacker to craft a link that redirects to an arbitrary website.

  • CVE-2016-10366MedJun 16, 2017
    risk 0.40cvss 6.1epss 0.01

    Kibana versions after and including 4.3 and before 4.6.2 are vulnerable to a cross-site scripting (XSS) attack.

Page 1 of 6