📦 Kibana

A prototype pollution vulnerability in Kibana allows attackers to execute arbitrary code by sending specially crafted HTTP requests to machine learning and reporting endpoints. This affects all Kibana...

A deserialization vulnerability in Kibana allows authenticated attackers with specific Elasticsearch and Kibana privileges to execute arbitrary code by uploading malicious YAML documents. This affects...

A deserialization vulnerability in Kibana allows arbitrary code execution when parsing malicious YAML documents. This only affects users who have enabled Elastic Security's built-in AI tools and confi...

This CVE describes a prototype pollution vulnerability in Kibana that allows authenticated attackers with specific permissions to execute arbitrary code. It affects Kibana instances where users have M...

Kibana 8.10.0 logs sensitive information like authentication credentials, cookies, and authorization headers in error logs when configured with JSON layout or %meta pattern. This vulnerability allows ...

This CVE describes a cross-site scripting (XSS) vulnerability in Vega visualization components that allows authenticated users to inject malicious scripts into web content. The vulnerability bypasses ...

This vulnerability in Kibana allows attackers to inject malicious scripts into web pages through improper input neutralization, leading to stored cross-site scripting (XSS). When exploited, it enables...

This CVE describes a cross-site scripting (XSS) vulnerability in Kibana where improper input sanitization during web page generation allows attackers to inject malicious scripts. The vulnerability aff...

This CVE describes an improper authorization vulnerability in Kibana's Synthetic monitor endpoint that allows authenticated users to perform unauthorized actions via direct HTTP requests. It affects K...

This vulnerability allows attackers to exploit prototype pollution in Kibana to achieve code injection by combining unrestricted file upload with path traversal. It affects Kibana instances with vulne...

This CVE describes an information disclosure vulnerability in Kibana where users without Fleet privileges can view Elastic Agent policies that may contain sensitive data. The vulnerability affects Kib...

This vulnerability in Kibana logs sensitive credentials like kibana_system user passwords, API keys, and end-user credentials when specific errors occur during Elasticsearch cluster interactions. It a...

CVE-2023-31414 allows arbitrary code execution in Kibana when an attacker with write access to configuration files injects malicious JavaScript payloads. This vulnerability affects Kibana versions 8.0...

This CVE describes two denial-of-service vulnerabilities in Metricbeat where specially crafted payloads sent to Graphite or Zookeeper metricsets, or malformed metric data sent to the Prometheus helper...

This vulnerability in Kibana Fleet allows attackers to send specially crafted requests that cause excessive resource allocation, leading to service degradation or complete unavailability through resou...

CVE-2026-0531 is a resource exhaustion vulnerability in Kibana Fleet where specially crafted bulk retrieval requests can cause excessive memory consumption leading to server crashes. Attackers with vi...

This vulnerability allows authenticated Kibana users to escalate privileges by changing document sharing settings to 'global', making documents visible to all users in a space. It affects Kibana insta...

This CVE describes a cross-site scripting (XSS) vulnerability in Kibana's Vega AST evaluator that allows unauthenticated attackers to inject malicious scripts into web pages. When exploited, these scr...

This vulnerability allows authenticated Kibana users with low privileges to send crafted HTTP requests that cause excessive resource allocation, leading to denial of service. It affects Kibana instanc...

CVE-2025-68422 is an improper authorization vulnerability in Kibana that allows authenticated users to bypass permission restrictions via crafted HTTP requests. This enables attackers without 'live qu...

This CVE describes a cross-site scripting (XSS) vulnerability in Kibana's integration package upload functionality that allows authenticated users to inject HTML into other users' browsers. It affects...

An origin validation error in Kibana's Observability AI Assistant allows attackers to perform Server-Side Request Forgery (SSRF) by forging the Origin HTTP header. This vulnerability affects Kibana in...

This CVE describes an incorrect authorization vulnerability in Kibana where the built-in reporting_user role has excessive permissions, allowing it to access all Kibana Spaces. This enables privilege ...

This vulnerability allows attackers to upload malicious HTML/JavaScript files through Kibana's Synthetics app, leading to cross-site scripting (XSS) attacks. Users with access to the Synthetics app or...

This vulnerability allows authenticated users with read access to Kibana to send specially crafted payloads that cause resource exhaustion, leading to Kibana service crashes. It affects Kibana instanc...

A server-side request forgery (SSRF) vulnerability in Kibana's Fleet API allows authenticated users with read access to send requests to internal HTTPS endpoints that return JSON. This could expose in...

This vulnerability allows high-privileged Kibana users with osquery pack creation permissions to upload malicious packs that could cause Kibana availability issues through resource exhaustion. It affe...

This CVE describes an open redirect vulnerability in Kibana where attackers can craft malicious URLs that redirect users to arbitrary external websites. Kibana users who click on specially crafted lin...

This vulnerability allows view-only users in Kibana to abuse the run_soon API to trigger continuous execution of alerting rules. This could lead to resource exhaustion and system availability issues i...