VYPR

Kibana

by Elastic

npm: kibana

Source repositories

CVEs (115)

  • CVE-2016-10365MedJun 16, 2017
    risk 0.40cvss 6.1epss 0.01

    Kibana versions before 4.6.3 and 5.0.1 have an open redirect vulnerability that would enable an attacker to craft a link in the Kibana domain that redirects to an arbitrary website.

  • CVE-2016-1000220MedJun 16, 2017
    risk 0.40cvss 6.1epss 0.01

    Kibana before 4.5.4 and 4.1.11 are vulnerable to an XSS attack that would allow an attacker to execute arbitrary JavaScript in users' browsers.

  • CVE-2015-9056MedJun 16, 2017
    risk 0.40cvss 6.1epss 0.01

    Kibana versions prior to 4.1.3 and 4.2.1 are vulnerable to a XSS attack.

  • CVE-2017-8440MedJun 5, 2017
    risk 0.40cvss 6.1epss 0.01

    Starting in version 5.3.0, Kibana had a cross-site scripting (XSS) vulnerability in the Discover page that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.

  • CVE-2017-8439MedJun 5, 2017
    risk 0.40cvss 6.1epss 0.01

    Kibana version 5.4.0 was affected by a Cross Site Scripting (XSS) bug in the Time Series Visual Builder. This bug could allow an attacker to obtain sensitive information from Kibana users.

  • CVE-2026-49094MedMay 28, 2026
    risk 0.35cvss 6.5epss 0.00

    Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated user with viewer-level access can submit a request containing an oversized input value to an analytics collections management endpoint.…

  • CVE-2026-42400MedMay 28, 2026
    risk 0.35cvss 6.5epss 0.00

    Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated user can send a specially crafted compressed request payload that is processed prior to authorization checks, causing excessive memory and…

  • CVE-2026-42399MedMay 28, 2026
    risk 0.35cvss 6.5epss 0.00

    Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated low-privileged user can cause Kibana to consume exponentially increasing amounts of memory by submitting a specially crafted Timelion…

  • CVE-2026-33459MedApr 8, 2026
    risk 0.35cvss 6.5epss 0.00

    Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated user with access to the automatic import feature can submit specially crafted requests with excessively large input values. When multiple…

  • CVE-2025-37728MedOct 7, 2025
    risk 0.35cvss 5.4epss 0.00

    Insufficiently Protected Credentials in the Crowdstrike connector can lead to Crowdstrike credentials being leaked. A malicious user can access cached credentials from a Crowdstrike connector in another space by creating and running a Crowdstrike connector in a space to which…

  • CVE-2026-49093MedMay 28, 2026
    risk 0.34cvss 6.3epss 0.00

    Server-Side Request Forgery (CWE-918) in Kibana can allow an authenticated user with connector management privileges to bypass the operator-configured connector allowlist, causing the Kibana server to issue outbound requests to destinations the egress controls were intended to…

  • CVE-2026-33458MedApr 8, 2026
    risk 0.34cvss 6.3epss 0.00

    Server-Side Request Forgery (CWE-918) in Kibana One Workflow can lead to information disclosure. An authenticated user with workflow creation and execution privileges can bypass host allowlist restrictions in the Workflows Execution Engine, potentially exposing sensitive…

  • CVE-2026-33463MedMay 28, 2026
    risk 0.27cvss 5.3epss 0.00

    Operation on a Resource after Expiration or Termination (CWE-672) in Kibana can lead to unauthorized information disclosure. A logic error in how expiration timestamps were validated allowed a time-bounded access token to remain usable beyond its intended validity window,…

  • CVE-2026-33462MedMay 28, 2026
    risk 0.23cvss 4.6epss 0.00

    A path traversal vulnerability was identified in Kibana's dashboard management functionality. An authenticated user with limited permissions could create a dashboard with a specially crafted identifier. When an administrator subsequently attempts to delete this dashboard through…

  • CVE-2026-33460MedApr 8, 2026
    risk 0.21cvss 4.3epss 0.00

    Incorrect Authorization (CWE-863) in Kibana can lead to cross-space information disclosure via Privilege Abuse (CAPEC-122). A user with Fleet agent management privileges in one Kibana space can retrieve Fleet Server policy details from other spaces through an internal enrollment…

  • CVE-2026-42401MedMay 28, 2026
    risk 0.20cvss 4.1epss 0.00

    Improper Neutralization of Input During Web Page Generation (CWE-79) in Kibana can lead to stored HTML injection. A user with write access to an Elasticsearch index could persist crafted markup which, when subsequently rendered through an affected Kibana view by another user,…

  • CVE-2019-7609KEVMar 25, 2019
    risk 0.16cvss epss 0.95

    Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing…

  • CVE-2020-7012Jun 3, 2020
    risk 0.09cvss epss 0.18

    Kibana versions 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2 contain a prototype pollution flaw in the Upgrade Assistant. An authenticated attacker with privileges to write to the Kibana index could insert data that would cause Kibana to execute arbitrary code. This could possibly lead to…

  • CVE-2018-17246Dec 20, 2018
    risk 0.08cvss epss 0.82

    Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. An attacker with access to the Kibana Console API could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing…

  • CVE-2026-26940Mar 19, 2026
    risk 0.00cvss epss 0.00

    Improper Validation of Specified Quantity in Input (CWE-1284) in the Timelion visualization plugin in Kibana can lead Denial of Service via Excessive Allocation (CAPEC-130). The vulnerability allows an authenticated user to send a specially crafted Timelion expression that…

Page 2 of 6