CVE-2025-25009
Improper Neutralization of Input During Web Page Generation in Kibana can lead to Stored XSS via case file upload.
CVE-2025-25012
URL redirection to an untrusted site ('Open Redirect') in Kibana can lead to sending a user to an arbitrary site and server-side request forgery via a specially crafted URL.
CVE-2024-43706
Improper authorization in Kibana can lead to privilege abuse via a direct HTTP request to a Synthetic monitor endpoint.
CVE-2025-25014
A Prototype pollution vulnerability in Kibana leads to arbitrary code execution via crafted HTTP requests to machine learning and reporting endpoints.
CVE-2025-25016
Unrestricted file upload in Kibana allows an authenticated attacker to compromise software integrity by uploading a crafted malicious file due to insufficient server-side validation.
CVE-2024-11390
Unrestricted upload of a file with dangerous type in Kibana can lead to arbitrary JavaScript execution in a victim’s browser (XSS) via crafted HTML and JavaScript files.
The attacker must have access to the Synthetics app AND/OR have acces…
CVE-2024-12556
Prototype Pollution in Kibana can lead to code injection via unrestricted file upload combined with path traversal.
CVE-2024-52974
An issue has been identified where a specially crafted request sent to an Observability API could cause the kibana server to crash.
A successful attack requires a malicious user to have read permissions for Observability assigned to them.
CVE-2025-25015
Prototype pollution in Kibana leads to arbitrary code execution via a crafted file upload and specifically crafted HTTP requests.
In Kibana versions >= 8.15.0 and < 8.17.1, this is exploitable by users with the Viewer role. In Kibana versio…
CVE-2024-43708
An allocation of resources without limits or throttling in Kibana can lead to a crash caused by a specially crafted payload to a number of inputs in Kibana UI. This can be carried out by users with read access to any feature in Kibana.
CVE-2024-52972
An allocation of resources without limits or throttling in Kibana can lead to a crash caused by a specially crafted request to /api/metrics/snapshot. This can be carried out by users with read access to the Observability Metrics or Logs fea…
CVE-2024-43710
A server side request forgery vulnerability was identified in Kibana where the /api/fleet/health_check API could be used to send requests to internal endpoints. Due to the nature of the underlying request, only endpoints available over http…
CVE-2024-43707
An issue was identified in Kibana where a user without access to Fleet can view Elastic Agent policies that could contain sensitive information. The nature of the sensitive information depends on the integrations enabled for the Elastic Age…
CVE-2024-52973
An allocation of resources without limits or throttling in Kibana can lead to a crash caused by a specially crafted request to /api/log_entries/summary. This can be carried out by users with read access to the Observability-Logs feature in…