VYPR

Kibana

by Elastic

npm: kibana

Source repositories

CVEs (115)

  • CVE-2026-26939Mar 19, 2026
    risk 0.00cvss epss 0.00

    Missing Authorization (CWE-862) in Kibana’s server-side Detection Rule Management can lead to Unauthorized Endpoint Response Action Configuration (host isolation, process termination, and process suspension) via CAPEC-1 (Accessing Functionality Not Properly Constrained by…

  • CVE-2026-26938Feb 26, 2026
    risk 0.00cvss epss 0.00

    Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) exists in Workflows in Kibana which could allow an attacker to read arbitrary files from the Kibana server filesystem, and perform Server-Side Request Forgery (SSRF) via Code Injection (CAPEC-242).…

  • CVE-2026-26937Feb 26, 2026
    risk 0.00cvss epss 0.00

    Uncontrolled Resource Consumption (CWE-400) in the Timelion component in Kibana can lead Denial of Service via Input Data Manipulation (CAPEC-153)

  • CVE-2026-26936Feb 26, 2026
    risk 0.00cvss epss 0.00

    Inefficient Regular Expression Complexity (CWE-1333) in the AI Inference Anonymization Engine in Kibana can lead Denial of Service via Regular Expression Exponential Blowup (CAPEC-492).

  • CVE-2026-26935Feb 26, 2026
    risk 0.00cvss epss 0.00

    Improper Input Validation (CWE-20) in the internal Content Connectors search endpoint in Kibana can lead Denial of Service via Input Data Manipulation (CAPEC-153)

  • CVE-2026-26934Feb 26, 2026
    risk 0.00cvss epss 0.00

    Improper Validation of Specified Quantity in Input (CWE-1284) in Kibana can allow an authenticated attacker with view-only privileges to cause a Denial of Service via Input Data Manipulation (CAPEC-153). An attacker can send a specially crafted, malformed payload causing…

  • CVE-2026-0543Jan 13, 2026
    risk 0.00cvss epss 0.00

    Improper Input Validation (CWE-20) in Kibana's Email Connector can allow an attacker to cause an Excessive Allocation (CAPEC-130) through a specially crafted email address parameter. This requires an attacker to have authenticated access with view-level privileges sufficient to…

  • CVE-2026-0531Jan 13, 2026
    risk 0.00cvss epss 0.00

    Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana Fleet can lead to Excessive Allocation (CAPEC-130) via a specially crafted bulk retrieval request. This requires an attacker to have low-level privileges equivalent to the viewer role, which grants read…

  • CVE-2026-0530Jan 13, 2026
    risk 0.00cvss epss 0.00

    Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana Fleet can lead to Excessive Allocation (CAPEC-130) via a specially crafted request. This causes the application to perform redundant processing operations that continuously consume system resources until…

  • CVE-2026-0528Jan 13, 2026
    risk 0.00cvss epss 0.00

    Improper Validation of Array Index (CWE-129) exists in Metricbeat can allow an attacker to cause a Denial of Service through Input Data Manipulation (CAPEC-153) via specially crafted, malformed payloads sent to the Graphite server metricset or Zookeeper server metricset.…

  • CVE-2025-68422Dec 18, 2025
    risk 0.00cvss epss 0.00

    Improper Authorization (CWE-285) in Kibana can lead to privilege escalation (CAPEC-233) by allowing an authenticated user to bypass intended permission restrictions via a crafted HTTP request. This allows an attacker who lacks the live queries - read permission to successfully…

  • CVE-2025-68386Dec 18, 2025
    risk 0.00cvss epss 0.00

    Improper Authorization (CWE-285) in Kibana can lead to privilege escalation (CAPEC-233) by allowing an authenticated user to change a document's sharing type to "global," even though they do not have permission to do so, making it visible to everyone in the space via a crafted a…

  • CVE-2025-68389Dec 18, 2025
    risk 0.00cvss epss 0.00

    Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana can allow a low-privileged authenticated user to cause Excessive Allocation (CAPEC-130) of computing resources and a denial of service (DoS) of the Kibana process via a crafted HTTP request.

  • CVE-2025-68387Dec 18, 2025
    risk 0.00cvss epss 0.00

    Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an unauthenticated user to embed a malicious script in content that will be served to web browsers causing cross-site scripting (XSS) (CAPEC-63) via a vulnerability a function…

  • CVE-2025-68385Dec 18, 2025
    risk 0.00cvss epss 0.00

    Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an authenticated user to embed a malicious script in content that will be served to web browsers causing cross-site scripting (XSS) (CAPEC-63) via a method in Vega bypassing a…

  • CVE-2025-37732Dec 15, 2025
    risk 0.00cvss epss 0.00

    Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an authenticated user to render HTML tags within a user’s browser via the integration package upload functionality. This issue is related to ESA-2025-17 (CVE-2025-25018)…

  • CVE-2025-37734Nov 12, 2025
    risk 0.00cvss epss 0.00

    Origin Validation Error in Kibana can lead to Server-Side Request Forgery via a forged Origin HTTP header processed by the Observability AI Assistant.

  • CVE-2025-25017Oct 10, 2025
    risk 0.00cvss epss 0.00

    Improper Neutralization of Input During Web Page Generation in Kibana can lead to Cross-Site Scripting (XSS)

  • CVE-2025-25018Oct 10, 2025
    risk 0.00cvss epss 0.00

    Improper Neutralization of Input During Web Page Generation in Kibana can lead to stored Cross-Site Scripting (XSS)

  • CVE-2025-25009Oct 7, 2025
    risk 0.00cvss epss 0.00

    Improper Neutralization of Input During Web Page Generation in Kibana can lead to Stored XSS via case file upload.

Page 3 of 6