Kibana
by Elastic
Source repositories
CVEs (115)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2016-10365 | Med | 0.40 | 6.1 | 0.01 | Jun 16, 2017 | Kibana versions before 4.6.3 and 5.0.1 have an open redirect vulnerability that would enable an attacker to craft a link in the Kibana domain that redirects to an arbitrary website. | ||
| CVE-2016-1000220 | Med | 0.40 | 6.1 | 0.01 | Jun 16, 2017 | Kibana before 4.5.4 and 4.1.11 are vulnerable to an XSS attack that would allow an attacker to execute arbitrary JavaScript in users' browsers. | ||
| CVE-2015-9056 | Med | 0.40 | 6.1 | 0.01 | Jun 16, 2017 | Kibana versions prior to 4.1.3 and 4.2.1 are vulnerable to a XSS attack. | ||
| CVE-2017-8440 | Med | 0.40 | 6.1 | 0.01 | Jun 5, 2017 | Starting in version 5.3.0, Kibana had a cross-site scripting (XSS) vulnerability in the Discover page that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users. | ||
| CVE-2017-8439 | Med | 0.40 | 6.1 | 0.01 | Jun 5, 2017 | Kibana version 5.4.0 was affected by a Cross Site Scripting (XSS) bug in the Time Series Visual Builder. This bug could allow an attacker to obtain sensitive information from Kibana users. | ||
| CVE-2026-49094 | Med | 0.35 | 6.5 | 0.00 | May 28, 2026 | Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated user with viewer-level access can submit a request containing an oversized input value to an analytics collections management endpoint.… | ||
| CVE-2026-42400 | Med | 0.35 | 6.5 | 0.00 | May 28, 2026 | Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated user can send a specially crafted compressed request payload that is processed prior to authorization checks, causing excessive memory and… | ||
| CVE-2026-42399 | Med | 0.35 | 6.5 | 0.00 | May 28, 2026 | Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated low-privileged user can cause Kibana to consume exponentially increasing amounts of memory by submitting a specially crafted Timelion… | ||
| CVE-2026-33459 | Med | 0.35 | 6.5 | 0.00 | Apr 8, 2026 | Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated user with access to the automatic import feature can submit specially crafted requests with excessively large input values. When multiple… | ||
| CVE-2025-37728 | Med | 0.35 | 5.4 | 0.00 | Oct 7, 2025 | Insufficiently Protected Credentials in the Crowdstrike connector can lead to Crowdstrike credentials being leaked. A malicious user can access cached credentials from a Crowdstrike connector in another space by creating and running a Crowdstrike connector in a space to which… | ||
| CVE-2026-49093 | Med | 0.34 | 6.3 | 0.00 | May 28, 2026 | Server-Side Request Forgery (CWE-918) in Kibana can allow an authenticated user with connector management privileges to bypass the operator-configured connector allowlist, causing the Kibana server to issue outbound requests to destinations the egress controls were intended to… | ||
| CVE-2026-33458 | Med | 0.34 | 6.3 | 0.00 | Apr 8, 2026 | Server-Side Request Forgery (CWE-918) in Kibana One Workflow can lead to information disclosure. An authenticated user with workflow creation and execution privileges can bypass host allowlist restrictions in the Workflows Execution Engine, potentially exposing sensitive… | ||
| CVE-2026-33463 | Med | 0.27 | 5.3 | 0.00 | May 28, 2026 | Operation on a Resource after Expiration or Termination (CWE-672) in Kibana can lead to unauthorized information disclosure. A logic error in how expiration timestamps were validated allowed a time-bounded access token to remain usable beyond its intended validity window,… | ||
| CVE-2026-33462 | Med | 0.23 | 4.6 | 0.00 | May 28, 2026 | A path traversal vulnerability was identified in Kibana's dashboard management functionality. An authenticated user with limited permissions could create a dashboard with a specially crafted identifier. When an administrator subsequently attempts to delete this dashboard through… | ||
| CVE-2026-33460 | Med | 0.21 | 4.3 | 0.00 | Apr 8, 2026 | Incorrect Authorization (CWE-863) in Kibana can lead to cross-space information disclosure via Privilege Abuse (CAPEC-122). A user with Fleet agent management privileges in one Kibana space can retrieve Fleet Server policy details from other spaces through an internal enrollment… | ||
| CVE-2026-42401 | Med | 0.20 | 4.1 | 0.00 | May 28, 2026 | Improper Neutralization of Input During Web Page Generation (CWE-79) in Kibana can lead to stored HTML injection. A user with write access to an Elasticsearch index could persist crafted markup which, when subsequently rendered through an affected Kibana view by another user,… | ||
| CVE-2019-7609 | 0.16 | — | 0.95 | KEV | Mar 25, 2019 | Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing… | ||
| CVE-2020-7012 | 0.09 | — | 0.18 | Jun 3, 2020 | Kibana versions 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2 contain a prototype pollution flaw in the Upgrade Assistant. An authenticated attacker with privileges to write to the Kibana index could insert data that would cause Kibana to execute arbitrary code. This could possibly lead to… | |||
| CVE-2018-17246 | 0.08 | — | 0.82 | Dec 20, 2018 | Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. An attacker with access to the Kibana Console API could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing… | |||
| CVE-2026-26940 | 0.00 | — | 0.00 | Mar 19, 2026 | Improper Validation of Specified Quantity in Input (CWE-1284) in the Timelion visualization plugin in Kibana can lead Denial of Service via Excessive Allocation (CAPEC-130). The vulnerability allows an authenticated user to send a specially crafted Timelion expression that… |
- risk 0.40cvss 6.1epss 0.01
Kibana versions before 4.6.3 and 5.0.1 have an open redirect vulnerability that would enable an attacker to craft a link in the Kibana domain that redirects to an arbitrary website.
- risk 0.40cvss 6.1epss 0.01
Kibana before 4.5.4 and 4.1.11 are vulnerable to an XSS attack that would allow an attacker to execute arbitrary JavaScript in users' browsers.
- risk 0.40cvss 6.1epss 0.01
Kibana versions prior to 4.1.3 and 4.2.1 are vulnerable to a XSS attack.
- risk 0.40cvss 6.1epss 0.01
Starting in version 5.3.0, Kibana had a cross-site scripting (XSS) vulnerability in the Discover page that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.
- risk 0.40cvss 6.1epss 0.01
Kibana version 5.4.0 was affected by a Cross Site Scripting (XSS) bug in the Time Series Visual Builder. This bug could allow an attacker to obtain sensitive information from Kibana users.
- risk 0.35cvss 6.5epss 0.00
Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated user with viewer-level access can submit a request containing an oversized input value to an analytics collections management endpoint.…
- risk 0.35cvss 6.5epss 0.00
Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated user can send a specially crafted compressed request payload that is processed prior to authorization checks, causing excessive memory and…
- risk 0.35cvss 6.5epss 0.00
Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated low-privileged user can cause Kibana to consume exponentially increasing amounts of memory by submitting a specially crafted Timelion…
- risk 0.35cvss 6.5epss 0.00
Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated user with access to the automatic import feature can submit specially crafted requests with excessively large input values. When multiple…
- risk 0.35cvss 5.4epss 0.00
Insufficiently Protected Credentials in the Crowdstrike connector can lead to Crowdstrike credentials being leaked. A malicious user can access cached credentials from a Crowdstrike connector in another space by creating and running a Crowdstrike connector in a space to which…
- risk 0.34cvss 6.3epss 0.00
Server-Side Request Forgery (CWE-918) in Kibana can allow an authenticated user with connector management privileges to bypass the operator-configured connector allowlist, causing the Kibana server to issue outbound requests to destinations the egress controls were intended to…
- risk 0.34cvss 6.3epss 0.00
Server-Side Request Forgery (CWE-918) in Kibana One Workflow can lead to information disclosure. An authenticated user with workflow creation and execution privileges can bypass host allowlist restrictions in the Workflows Execution Engine, potentially exposing sensitive…
- risk 0.27cvss 5.3epss 0.00
Operation on a Resource after Expiration or Termination (CWE-672) in Kibana can lead to unauthorized information disclosure. A logic error in how expiration timestamps were validated allowed a time-bounded access token to remain usable beyond its intended validity window,…
- risk 0.23cvss 4.6epss 0.00
A path traversal vulnerability was identified in Kibana's dashboard management functionality. An authenticated user with limited permissions could create a dashboard with a specially crafted identifier. When an administrator subsequently attempts to delete this dashboard through…
- risk 0.21cvss 4.3epss 0.00
Incorrect Authorization (CWE-863) in Kibana can lead to cross-space information disclosure via Privilege Abuse (CAPEC-122). A user with Fleet agent management privileges in one Kibana space can retrieve Fleet Server policy details from other spaces through an internal enrollment…
- risk 0.20cvss 4.1epss 0.00
Improper Neutralization of Input During Web Page Generation (CWE-79) in Kibana can lead to stored HTML injection. A user with write access to an Elasticsearch index could persist crafted markup which, when subsequently rendered through an affected Kibana view by another user,…
- risk 0.16cvss —epss 0.95
Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing…
- CVE-2020-7012Jun 3, 2020risk 0.09cvss —epss 0.18
Kibana versions 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2 contain a prototype pollution flaw in the Upgrade Assistant. An authenticated attacker with privileges to write to the Kibana index could insert data that would cause Kibana to execute arbitrary code. This could possibly lead to…
- CVE-2018-17246Dec 20, 2018risk 0.08cvss —epss 0.82
Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. An attacker with access to the Kibana Console API could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing…
- CVE-2026-26940Mar 19, 2026risk 0.00cvss —epss 0.00
Improper Validation of Specified Quantity in Input (CWE-1284) in the Timelion visualization plugin in Kibana can lead Denial of Service via Excessive Allocation (CAPEC-130). The vulnerability allows an authenticated user to send a specially crafted Timelion expression that…
Page 2 of 6