Kibana
by Elastic
Source repositories
CVEs (115)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-26939 | 0.00 | — | 0.00 | Mar 19, 2026 | Missing Authorization (CWE-862) in Kibana’s server-side Detection Rule Management can lead to Unauthorized Endpoint Response Action Configuration (host isolation, process termination, and process suspension) via CAPEC-1 (Accessing Functionality Not Properly Constrained by… | |||
| CVE-2026-26938 | 0.00 | — | 0.00 | Feb 26, 2026 | Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) exists in Workflows in Kibana which could allow an attacker to read arbitrary files from the Kibana server filesystem, and perform Server-Side Request Forgery (SSRF) via Code Injection (CAPEC-242).… | |||
| CVE-2026-26937 | 0.00 | — | 0.00 | Feb 26, 2026 | Uncontrolled Resource Consumption (CWE-400) in the Timelion component in Kibana can lead Denial of Service via Input Data Manipulation (CAPEC-153) | |||
| CVE-2026-26936 | 0.00 | — | 0.00 | Feb 26, 2026 | Inefficient Regular Expression Complexity (CWE-1333) in the AI Inference Anonymization Engine in Kibana can lead Denial of Service via Regular Expression Exponential Blowup (CAPEC-492). | |||
| CVE-2026-26935 | 0.00 | — | 0.00 | Feb 26, 2026 | Improper Input Validation (CWE-20) in the internal Content Connectors search endpoint in Kibana can lead Denial of Service via Input Data Manipulation (CAPEC-153) | |||
| CVE-2026-26934 | 0.00 | — | 0.00 | Feb 26, 2026 | Improper Validation of Specified Quantity in Input (CWE-1284) in Kibana can allow an authenticated attacker with view-only privileges to cause a Denial of Service via Input Data Manipulation (CAPEC-153). An attacker can send a specially crafted, malformed payload causing… | |||
| CVE-2026-0543 | 0.00 | — | 0.00 | Jan 13, 2026 | Improper Input Validation (CWE-20) in Kibana's Email Connector can allow an attacker to cause an Excessive Allocation (CAPEC-130) through a specially crafted email address parameter. This requires an attacker to have authenticated access with view-level privileges sufficient to… | |||
| CVE-2026-0531 | 0.00 | — | 0.00 | Jan 13, 2026 | Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana Fleet can lead to Excessive Allocation (CAPEC-130) via a specially crafted bulk retrieval request. This requires an attacker to have low-level privileges equivalent to the viewer role, which grants read… | |||
| CVE-2026-0530 | 0.00 | — | 0.00 | Jan 13, 2026 | Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana Fleet can lead to Excessive Allocation (CAPEC-130) via a specially crafted request. This causes the application to perform redundant processing operations that continuously consume system resources until… | |||
| CVE-2026-0528 | 0.00 | — | 0.00 | Jan 13, 2026 | Improper Validation of Array Index (CWE-129) exists in Metricbeat can allow an attacker to cause a Denial of Service through Input Data Manipulation (CAPEC-153) via specially crafted, malformed payloads sent to the Graphite server metricset or Zookeeper server metricset.… | |||
| CVE-2025-68422 | 0.00 | — | 0.00 | Dec 18, 2025 | Improper Authorization (CWE-285) in Kibana can lead to privilege escalation (CAPEC-233) by allowing an authenticated user to bypass intended permission restrictions via a crafted HTTP request. This allows an attacker who lacks the live queries - read permission to successfully… | |||
| CVE-2025-68386 | 0.00 | — | 0.00 | Dec 18, 2025 | Improper Authorization (CWE-285) in Kibana can lead to privilege escalation (CAPEC-233) by allowing an authenticated user to change a document's sharing type to "global," even though they do not have permission to do so, making it visible to everyone in the space via a crafted a… | |||
| CVE-2025-68389 | 0.00 | — | 0.00 | Dec 18, 2025 | Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana can allow a low-privileged authenticated user to cause Excessive Allocation (CAPEC-130) of computing resources and a denial of service (DoS) of the Kibana process via a crafted HTTP request. | |||
| CVE-2025-68387 | 0.00 | — | 0.00 | Dec 18, 2025 | Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an unauthenticated user to embed a malicious script in content that will be served to web browsers causing cross-site scripting (XSS) (CAPEC-63) via a vulnerability a function… | |||
| CVE-2025-68385 | 0.00 | — | 0.00 | Dec 18, 2025 | Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an authenticated user to embed a malicious script in content that will be served to web browsers causing cross-site scripting (XSS) (CAPEC-63) via a method in Vega bypassing a… | |||
| CVE-2025-37732 | 0.00 | — | 0.00 | Dec 15, 2025 | Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an authenticated user to render HTML tags within a user’s browser via the integration package upload functionality. This issue is related to ESA-2025-17 (CVE-2025-25018)… | |||
| CVE-2025-37734 | 0.00 | — | 0.00 | Nov 12, 2025 | Origin Validation Error in Kibana can lead to Server-Side Request Forgery via a forged Origin HTTP header processed by the Observability AI Assistant. | |||
| CVE-2025-25017 | 0.00 | — | 0.00 | Oct 10, 2025 | Improper Neutralization of Input During Web Page Generation in Kibana can lead to Cross-Site Scripting (XSS) | |||
| CVE-2025-25018 | 0.00 | — | 0.00 | Oct 10, 2025 | Improper Neutralization of Input During Web Page Generation in Kibana can lead to stored Cross-Site Scripting (XSS) | |||
| CVE-2025-25009 | 0.00 | — | 0.00 | Oct 7, 2025 | Improper Neutralization of Input During Web Page Generation in Kibana can lead to Stored XSS via case file upload. |
- CVE-2026-26939Mar 19, 2026risk 0.00cvss —epss 0.00
Missing Authorization (CWE-862) in Kibana’s server-side Detection Rule Management can lead to Unauthorized Endpoint Response Action Configuration (host isolation, process termination, and process suspension) via CAPEC-1 (Accessing Functionality Not Properly Constrained by…
- CVE-2026-26938Feb 26, 2026risk 0.00cvss —epss 0.00
Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) exists in Workflows in Kibana which could allow an attacker to read arbitrary files from the Kibana server filesystem, and perform Server-Side Request Forgery (SSRF) via Code Injection (CAPEC-242).…
- CVE-2026-26937Feb 26, 2026risk 0.00cvss —epss 0.00
Uncontrolled Resource Consumption (CWE-400) in the Timelion component in Kibana can lead Denial of Service via Input Data Manipulation (CAPEC-153)
- CVE-2026-26936Feb 26, 2026risk 0.00cvss —epss 0.00
Inefficient Regular Expression Complexity (CWE-1333) in the AI Inference Anonymization Engine in Kibana can lead Denial of Service via Regular Expression Exponential Blowup (CAPEC-492).
- CVE-2026-26935Feb 26, 2026risk 0.00cvss —epss 0.00
Improper Input Validation (CWE-20) in the internal Content Connectors search endpoint in Kibana can lead Denial of Service via Input Data Manipulation (CAPEC-153)
- CVE-2026-26934Feb 26, 2026risk 0.00cvss —epss 0.00
Improper Validation of Specified Quantity in Input (CWE-1284) in Kibana can allow an authenticated attacker with view-only privileges to cause a Denial of Service via Input Data Manipulation (CAPEC-153). An attacker can send a specially crafted, malformed payload causing…
- CVE-2026-0543Jan 13, 2026risk 0.00cvss —epss 0.00
Improper Input Validation (CWE-20) in Kibana's Email Connector can allow an attacker to cause an Excessive Allocation (CAPEC-130) through a specially crafted email address parameter. This requires an attacker to have authenticated access with view-level privileges sufficient to…
- CVE-2026-0531Jan 13, 2026risk 0.00cvss —epss 0.00
Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana Fleet can lead to Excessive Allocation (CAPEC-130) via a specially crafted bulk retrieval request. This requires an attacker to have low-level privileges equivalent to the viewer role, which grants read…
- CVE-2026-0530Jan 13, 2026risk 0.00cvss —epss 0.00
Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana Fleet can lead to Excessive Allocation (CAPEC-130) via a specially crafted request. This causes the application to perform redundant processing operations that continuously consume system resources until…
- CVE-2026-0528Jan 13, 2026risk 0.00cvss —epss 0.00
Improper Validation of Array Index (CWE-129) exists in Metricbeat can allow an attacker to cause a Denial of Service through Input Data Manipulation (CAPEC-153) via specially crafted, malformed payloads sent to the Graphite server metricset or Zookeeper server metricset.…
- CVE-2025-68422Dec 18, 2025risk 0.00cvss —epss 0.00
Improper Authorization (CWE-285) in Kibana can lead to privilege escalation (CAPEC-233) by allowing an authenticated user to bypass intended permission restrictions via a crafted HTTP request. This allows an attacker who lacks the live queries - read permission to successfully…
- CVE-2025-68386Dec 18, 2025risk 0.00cvss —epss 0.00
Improper Authorization (CWE-285) in Kibana can lead to privilege escalation (CAPEC-233) by allowing an authenticated user to change a document's sharing type to "global," even though they do not have permission to do so, making it visible to everyone in the space via a crafted a…
- CVE-2025-68389Dec 18, 2025risk 0.00cvss —epss 0.00
Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana can allow a low-privileged authenticated user to cause Excessive Allocation (CAPEC-130) of computing resources and a denial of service (DoS) of the Kibana process via a crafted HTTP request.
- CVE-2025-68387Dec 18, 2025risk 0.00cvss —epss 0.00
Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an unauthenticated user to embed a malicious script in content that will be served to web browsers causing cross-site scripting (XSS) (CAPEC-63) via a vulnerability a function…
- CVE-2025-68385Dec 18, 2025risk 0.00cvss —epss 0.00
Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an authenticated user to embed a malicious script in content that will be served to web browsers causing cross-site scripting (XSS) (CAPEC-63) via a method in Vega bypassing a…
- CVE-2025-37732Dec 15, 2025risk 0.00cvss —epss 0.00
Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an authenticated user to render HTML tags within a user’s browser via the integration package upload functionality. This issue is related to ESA-2025-17 (CVE-2025-25018)…
- CVE-2025-37734Nov 12, 2025risk 0.00cvss —epss 0.00
Origin Validation Error in Kibana can lead to Server-Side Request Forgery via a forged Origin HTTP header processed by the Observability AI Assistant.
- CVE-2025-25017Oct 10, 2025risk 0.00cvss —epss 0.00
Improper Neutralization of Input During Web Page Generation in Kibana can lead to Cross-Site Scripting (XSS)
- CVE-2025-25018Oct 10, 2025risk 0.00cvss —epss 0.00
Improper Neutralization of Input During Web Page Generation in Kibana can lead to stored Cross-Site Scripting (XSS)
- CVE-2025-25009Oct 7, 2025risk 0.00cvss —epss 0.00
Improper Neutralization of Input During Web Page Generation in Kibana can lead to Stored XSS via case file upload.
Page 3 of 6