Elastic: Security Vulnerabilities
Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an unauthenticated user to embed a malicious script in content that will be served to web browsers causing cross-site scripting (XSS) (CAPEC-63) via a vulnerability a function handler in the Vega AST evaluator.
CVSS Score
6.1
EPSS Score
0.002
Published
2025-12-18
Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana can allow a low-privileged authenticated user to cause Excessive Allocation (CAPEC-130) of computing resources and a denial of service (DoS) of the Kibana process via a crafted HTTP request.
CVSS Score
6.5
EPSS Score
0.003
Published
2025-12-18
Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can allow an authenticated user with snapshot restore privileges to cause Excessive Allocation (CAPEC-130) of memory and a denial of service (DoS) via crafted HTTP request.
CVSS Score
4.9
EPSS Score
0.003
Published
2025-12-18
Improper Authorization (CWE-285) in Kibana can lead to privilege escalation (CAPEC-233) by allowing an authenticated user to bypass intended permission restrictions via a crafted HTTP request. This allows an attacker who lacks the live queries - read permission to successfully retrieve the list of live queries.
CVSS Score
4.3
EPSS Score
0.002
Published
2025-12-18
Improper Validation of Specified Index, Position, or Offset in Input (CWE-1285) in Filebeat Syslog parser and the Libbeat Dissect processor can allow a user to trigger a Buffer Overflow (CAPEC-100) and cause a denial of service (panic/crash) of the Filebeat process via either a malformed Syslog message or a malicious tokenizer pattern in the Dissect configuration.
CVSS Score
6.5
EPSS Score
0.002
Published
2025-12-18
Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can allow a low-privileged authenticated user to cause Excessive Allocation (CAPEC-130) causing a persistent denial of service (OOM crash) via submission of oversized user settings data.
CVSS Score
6.5
EPSS Score
0.002
Published
2025-12-18
Improper Authentication in Elasticsearch PKI realm can lead to user impersonation via specially crafted client certificates. A malicious actor would need to have such a crafted client certificate signed by a legitimate, trusted Certificate Authority.
CVSS Score
6.8
EPSS Score
0.002
Published
2025-12-15
Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an authenticated user to render HTML tags within a user’s browser via the integration package upload functionality. This issue is related to ESA-2025-17 (CVE-2025-25018) bypassing that fix to achieve HTML injection.
CVSS Score
5.4
EPSS Score
0.002
Published
2025-12-15
Origin Validation Error in Kibana can lead to Server-Side Request Forgery via a forged Origin HTTP header processed by the Observability AI Assistant.
CVSS Score
4.3
EPSS Score
0.002
Published
2025-11-12
Improper Authorization in Elastic Cloud Enterprise can lead to Privilege Escalation where the built-in readonly user can call APIs that should not be allowed. The list of APIs that are affected by this issue is:
post:/platform/configuration/security/service-accounts
delete:/platform/configuration/security/service-accounts/{user_id}
patch:/platform/configuration/security/service-accounts/{user_id}
post:/platform/configuration/security/service-accounts/{user_id}/keys
delete:/platform/configuration/security/service-accounts/{user_id}/keys/{api_key_id}
patch:/user
post:/users
post:/users/auth/keys
delete:/users/auth/keys
delete:/users/auth/keys/_all
delete:/users/auth/keys/{api_key_id}
delete:/users/{user_id}/auth/keys
delete:/users/{user_id}/auth/keys/{api_key_id}
delete:/users/{user_name}
patch:/users/{user_name}
CVSS Score
8.8
EPSS Score
0.003
Published
2025-11-07