Vendor
Elastic
Products
6
CVEs
175
Across products
304
Status
Private
Products
6- 170 CVEs
- 46 CVEs
- 41 CVEs
- 40 CVEs
- 6 CVEs
- 1 CVE
Recent CVEs
175| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2015-1427 | Cri | 0.86 | 9.8 | 0.92 | KEV | Feb 17, 2015 | The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands via a crafted script. |
| CVE-2014-3120 | Hig | 0.67 | 8.1 | 0.83 | KEV | Jul 28, 2014 | The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code via the source parameter to _search. NOTE: this only violates the vendor's intended security policy if the user does not run Elasticsearch in its own independent virtual machine. |
| CVE-2017-8448 | Hig | 0.57 | 8.8 | 0.00 | Sep 29, 2017 | An error was found in the permission model used by X-Pack Alerting 5.0.0 to 5.6.0 whereby users mapped to certain built-in roles could create a watch that results in that user gaining elevated privileges. | |
| CVE-2017-8438 | Hig | 0.57 | 8.8 | 0.00 | Jun 5, 2017 | Elastic X-Pack Security versions 5.0.0 to 5.4.0 contain a privilege escalation bug in the run_as functionality. This bug prevents transitioning into the specified user specified in a run_as request. If a role has been created using a template that contains the _user properties, the behavior of run_as will be incorrect. Additionally if the run_as user specified does not exist, the transition will not happen. | |
| CVE-2026-33466 | Hig | 0.53 | 8.1 | 0.00 | Apr 8, 2026 | Improper Limitation of a Pathname to a Restricted Directory (CWE-22) in Logstash can lead to arbitrary file write and potentially remote code execution via Relative Path Traversal (CAPEC-139). The archive extraction utilities used by Logstash do not properly validate file paths within compressed archives. An attacker who can serve a specially crafted archive to Logstash through a compromised or attacker-controlled update endpoint can write arbitrary files to the host filesystem with the privileges of the Logstash process. In certain configurations where automatic pipeline reloading is enabled, this can be escalated to remote code execution. | |
| CVE-2026-4498 | Hig | 0.50 | 7.7 | 0.00 | Apr 8, 2026 | Execution with Unnecessary Privileges (CWE-250) in Kibana’s Fleet plugin debug route handlers can lead reading index data beyond their direct Elasticsearch RBAC scope via Privilege Abuse (CAPEC-122). This requires an authenticated Kibana user with Fleet sub-feature privileges (such as agents, agent policies, and settings management). | |
| CVE-2026-33461 | Hig | 0.50 | 7.7 | 0.00 | Apr 8, 2026 | Incorrect Authorization (CWE-863) in Kibana can lead to information disclosure via Privilege Abuse (CAPEC-122). A user with limited Fleet privileges can exploit an internal API endpoint to retrieve sensitive configuration data, including private keys and authentication tokens, that should only be accessible to users with higher-level settings privileges. The endpoint composes its response by fetching full configuration objects and returning them directly, bypassing the authorization checks enforced by the dedicated settings APIs. | |
| CVE-2015-5378 | Hig | 0.49 | 7.5 | 0.01 | Jun 27, 2017 | Logstash 1.5.x before 1.5.3 and 1.4.x before 1.4.4 allows remote attackers to read communications between Logstash Forwarder agent and Logstash server. | |
| CVE-2017-8452 | Hig | 0.49 | 7.5 | 0.00 | Jun 16, 2017 | Kibana versions prior to 5.2.1 configured for SSL client access, file descriptors will fail to be cleaned up after certain requests and will accumulate over time until the process crashes. | |
| CVE-2017-8450 | Hig | 0.49 | 7.5 | 0.00 | Jun 16, 2017 | X-Pack 5.1.1 did not properly apply document and field level security to multi-search and multi-get requests so users without access to a document and/or field may have been able to access this information. | |
| CVE-2016-10363 | Hig | 0.49 | 7.5 | 0.01 | Jun 16, 2017 | Logstash versions prior to 2.3.3, when using the Netflow Codec plugin, a remote attacker crafting malicious Netflow v5, Netflow v9 or IPFIX packets could perform a denial of service attack on the Logstash instance. The errors resulting from these crafted inputs are not handled by the codec and can cause the Logstash process to exit. | |
| CVE-2016-1000222 | Hig | 0.49 | 7.5 | 0.00 | Jun 16, 2017 | Logstash prior to version 2.1.2, the CSV output can be attacked via engineered input that will create malicious formulas in the CSV data. | |
| CVE-2026-33459 | Med | 0.42 | 6.5 | 0.00 | Apr 8, 2026 | Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated user with access to the automatic import feature can submit specially crafted requests with excessively large input values. When multiple such requests are sent concurrently, the backend services become unstable, resulting in service disruption and deployment unavailability for all users. | |
| CVE-2026-0529 | Med | 0.42 | 6.5 | 0.00 | Jan 14, 2026 | Improper Validation of Array Index (CWE-129) in Packetbeat’s MongoDB protocol parser can allow an attacker to cause Overflow Buffers (CAPEC-100) through specially crafted network traffic. This requires an attacker to send a malformed payload to a monitored network interface where MongoDB protocol parsing is enabled. | |
| CVE-2017-8447 | Med | 0.42 | 6.5 | 0.00 | Sep 29, 2017 | An error was found in the X-Pack Security 5.3.0 to 5.5.2 privilege enforcement. If a user has either 'delete' or 'index' permissions on an index in a cluster, they may be able to issue both delete and index requests against that index. | |
| CVE-2017-8442 | Med | 0.42 | 6.5 | 0.00 | Jul 7, 2017 | Elasticsearch X-Pack Security versions 5.0.0 to 5.4.3, when enabled, can result in the Elasticsearch _nodes API leaking sensitive configuration information, such as the paths and passphrases of SSL keys that were configured as part of an authentication realm. This could allow an authenticated Elasticsearch user to improperly view these details. | |
| CVE-2017-8443 | Med | 0.42 | 6.5 | 0.00 | Jun 30, 2017 | In Kibana X-Pack security versions prior to 5.4.3 if a Kibana user opens a crafted Kibana URL the result could be a redirect to an improperly initialized Kibana login screen. If the user enters credentials on this screen, the credentials will appear in the URL bar. The credentials could then be viewed by untrusted parties or logged into the Kibana access logs. | |
| CVE-2016-10362 | Med | 0.42 | 6.5 | 0.00 | Jun 16, 2017 | Prior to Logstash version 5.0.1, Elasticsearch Output plugin when updating connections after sniffing, would log to file HTTP basic auth credentials. | |
| CVE-2016-1000221 | Hig | 0.42 | 7.5 | 0.01 | Jun 16, 2017 | Logstash prior to version 2.3.4, Elasticsearch Output plugin would log to file HTTP authorization headers which could contain sensitive information. | |
| CVE-2026-33458 | Med | 0.41 | 6.3 | 0.00 | Apr 8, 2026 | Server-Side Request Forgery (CWE-918) in Kibana One Workflow can lead to information disclosure. An authenticated user with workflow creation and execution privileges can bypass host allowlist restrictions in the Workflows Execution Engine, potentially exposing sensitive internal endpoints and data. |