Elastic: Security Vulnerabilities
Improper neutralization of special elements used in a template engine in Elastic Cloud Enterprise (ECE) can lead to a malicious actor with Admin access exfiltrating sensitive information and issuing commands via a specially crafted string where Jinjava variables are evaluated.
CVSS Score
9.1
EPSS Score
0.006
Published
2025-10-13
Insertion of sensitive information in log file in Elasticsearch can lead to loss of confidentiality under specific preconditions when auditing requests to the reindex API https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-reindex
CVSS Score
5.7
EPSS Score
0.002
Published
2025-10-10
Improper Neutralization of Input During Web Page Generation in Kibana can lead to stored Cross-Site Scripting (XSS)
CVSS Score
8.7
EPSS Score
0.002
Published
2025-10-10
Improper Neutralization of Input During Web Page Generation in Kibana can lead to Cross-Site Scripting (XSS)
CVSS Score
8.2
EPSS Score
0.002
Published
2025-10-10
Improper Neutralization of Input During Web Page Generation in Kibana can lead to Stored XSS via case file upload.
CVSS Score
8.7
EPSS Score
0.002
Published
2025-10-07
Incorrect authorization in Kibana can lead to privilege escalation via the built-in reporting_user role which incorrectly has the ability to access all Kibana Spaces.
CVSS Score
6.5
EPSS Score
0.003
Published
2025-08-28
URL redirection to an untrusted site ('Open Redirect') in Kibana can lead to sending a user to an arbitrary site and server-side request forgery via a specially crafted URL.
CVSS Score
4.3
EPSS Score
0.004
Published
2025-06-25
Improper authorization in Kibana can lead to privilege abuse via a direct HTTP request to a Synthetic monitor endpoint.
CVSS Score
7.6
EPSS Score
0.003
Published
2025-06-10
A Prototype pollution vulnerability in Kibana leads to arbitrary code execution via crafted HTTP requests to machine learning and reporting endpoints.
CVSS Score
9.1
EPSS Score
0.137
Published
2025-05-06
Unrestricted file upload in Kibana allows an authenticated attacker to compromise software integrity by uploading a crafted malicious file due to insufficient server-side validation.
CVSS Score
4.3
EPSS Score
0.003
Published
2025-05-01