Improper Neutralization of Input During Web Page Generation in Kibana can lead to stored Cross-Site Scripting (XSS)
CVSS Score
8.7
EPSS Score
0.0
Published
2025-10-10
Improper Neutralization of Input During Web Page Generation in Kibana can lead to Cross-Site Scripting (XSS)
CVSS Score
8.2
EPSS Score
0.0
Published
2025-10-10
Improper Neutralization of Input During Web Page Generation in Kibana can lead to Stored XSS via case file upload.
CVSS Score
8.7
EPSS Score
0.0
Published
2025-10-07
URL redirection to an untrusted site ('Open Redirect') in Kibana can lead to sending a user to an arbitrary site and server-side request forgery via a specially crafted URL.
CVSS Score
4.3
EPSS Score
0.0
Published
2025-06-25
A Prototype pollution vulnerability in Kibana leads to arbitrary code execution via crafted HTTP requests to machine learning and reporting endpoints.
CVSS Score
9.1
EPSS Score
0.007
Published
2025-05-06
An issue has been identified where a specially crafted request sent to an Observability API could cause the kibana server to crash.
A successful attack requires a malicious user to have read permissions for Observability assigned to them.
CVSS Score
6.5
EPSS Score
0.001
Published
2025-04-08
An allocation of resources without limits or throttling in Kibana can lead to a crash caused by a specially crafted payload to a number of inputs in Kibana UI. This can be carried out by users with read access to any feature in Kibana.
CVSS Score
6.5
EPSS Score
0.002
Published
2025-01-23
An allocation of resources without limits or throttling in Kibana can lead to a crash caused by a specially crafted request to /api/metrics/snapshot. This can be carried out by users with read access to the Observability Metrics or Logs features in Kibana.
CVSS Score
6.5
EPSS Score
0.001
Published
2025-01-23
An issue was identified in Kibana where a user without access to Fleet can view Elastic Agent policies that could contain sensitive information. The nature of the sensitive information depends on the integrations enabled for the Elastic Agent and their respective versions.
CVSS Score
7.7
EPSS Score
0.001
Published
2025-01-23
A server side request forgery vulnerability was identified in Kibana where the /api/fleet/health_check API could be used to send requests to internal endpoints. Due to the nature of the underlying request, only endpoints available over https that return JSON could be accessed. This can be carried out by users with read access to Fleet.
CVSS Score
4.3
EPSS Score
0.001
Published
2025-01-23
Page 1