CVE-2025-25015 — CVSS 9.9 (critical): Prototype pollution in Kibana leads to arbitrary code execution via a crafted file upload and specifically crafted HTTP requests. In Kibana…
CVE-2024-37288 — CVSS 9.9 (critical): A deserialization issue in Kibana can lead to arbitrary code execution when Kibana attempts to parse a YAML document containing a crafted…
CVE-2018-17246 — CVSS 9.8 (critical): Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. An attacker with access to the…
CVE-2018-17245 — CVSS 9.8 (critical): Kibana versions 4.0 to 4.6, 5.0 to 5.6.12, and 6.0 to 6.4.2 contain an error in the way authorization credentials are used when generating…
CVE-2024-37287 — CVSS 9.1 (critical): A flaw allowing arbitrary code execution was discovered in Kibana. An attacker with access to ML and Alerting connector features, as well…
CVE-2025-25014 — CVSS 9.1 (critical): A Prototype pollution vulnerability in Kibana leads to arbitrary code execution via crafted HTTP requests to machine learning and reporting…
CVE-2024-37285 — CVSS 9.1 (critical): A deserialization issue in Kibana can lead to arbitrary code execution when Kibana attempts to parse a YAML document containing a crafted…
CVE-2019-7610 — CVSS 9.0 (critical): Kibana versions before 6.6.1 contain an arbitrary code execution flaw in the security audit logger. If a Kibana instance has the setting…
CVE-2023-31422 — CVSS 9.0 (critical): An issue was discovered by Elastic whereby sensitive information is recorded in Kibana logs in the event of an error. The issue impacts…
CVE-2023-31415 — CVSS 8.8 (high): Kibana version 8.7.0 contains an arbitrary code execution flaw. An attacker with All privileges to the Uptime/Synthetics feature could send…
CVE-2023-31414 — CVSS 8.8 (high): Kibana versions 8.0.0 through 8.7.0 contain an arbitrary code execution flaw. An attacker with write access to Kibana yaml or env…
CVE-2020-7012 — CVSS 8.8 (high): Kibana versions 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2 contain a prototype pollution flaw in the Upgrade Assistant. An authenticated attacker…
CVE-2025-25018 — CVSS 8.7 (high): Improper Neutralization of Input During Web Page Generation in Kibana can lead to stored Cross-Site Scripting (XSS)
CVE-2024-12556 — CVSS 8.7 (high): Prototype Pollution in Kibana can lead to code injection via unrestricted file upload combined with path traversal.
CVE-2025-25009 — CVSS 8.7 (high): Improper Neutralization of Input During Web Page Generation in Kibana can lead to Stored XSS via case file upload.
CVE-2026-26938 — CVSS 8.6 (high): Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) exists in Workflows in Kibana which could allow an…
CVE-2025-25017 — CVSS 8.2 (high): Improper Neutralization of Input During Web Page Generation in Kibana can lead to Cross-Site Scripting (XSS)
CVE-2023-46675 — CVSS 8.0 (high): An issue was discovered by Elastic whereby sensitive information may be recorded in Kibana logs in the event of an error or in the event…
CVE-2023-46671 — CVSS 8.0 (high): An issue was discovered by Elastic whereby sensitive information may be recorded in Kibana logs in the event of an error. Elastic has…
CVE-2026-49091 — CVSS 8.0 (high): Improper Output Neutralization for Logs (CWE-117) in Kibana can lead to log injection via Log Injection-Tampering-Forging (CAPEC-93). An…
CVE-2026-4498 — CVSS 7.7 (high): Execution with Unnecessary Privileges (CWE-250) in Kibana’s Fleet plugin debug route handlers can lead reading index data beyond their…
CVE-2026-33461 — CVSS 7.7 (high): Incorrect Authorization (CWE-863) in Kibana can lead to information disclosure via Privilege Abuse (CAPEC-122). A user with limited Fleet…
CVE-2024-43707 — CVSS 7.7 (high): An issue was identified in Kibana where a user without access to Fleet can view Elastic Agent policies that could contain sensitive…
CVE-2026-42398 — CVSS 7.7 (high): Server-Side Request Forgery (CWE-918) in Kibana allows authenticated users with connector management privileges to bypass the…
CVE-2024-43706 — CVSS 7.6 (high): Improper authorization in Kibana can lead to privilege abuse via a direct HTTP request to a Synthetic monitor endpoint.
CVE-2017-8452 — CVSS 7.5 (high): Kibana versions prior to 5.2.1 configured for SSL client access, file descriptors will fail to be cleaned up after certain requests and…
CVE-2016-1000219 — CVSS 7.5 (high): Kibana before 4.5.4 and 4.1.11 when a custom output is configured for logging in, cookies and authorization headers could be written to the…
CVE-2020-7013 — CVSS 7.2 (high): Kibana versions before 6.8.9 and 7.7.0 contain a prototype pollution flaw in TSVB. An authenticated attacker with privileges to create TSVB…
CVE-2025-68385 — CVSS 7.2 (high): Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an authenticated user to embed a…
CVE-2015-8131 — CVSS 6.8 (medium): Cross-site request forgery (CSRF) vulnerability in Elasticsearch Kibana before 4.1.3 and 4.2.x before 4.2.1 allows remote attackers to…
CVE-2021-22150 — CVSS 6.6 (medium): It was discovered that a user with Fleet admin permissions could upload a malicious package. Due to using an older version of the js-yaml…
CVE-2021-22142 — CVSS 6.6 (medium): Kibana contains an embedded version of the Chromium browser that the Reporting feature uses to generate the downloadable reports. If a user…
CVE-2026-42400 — CVSS 6.5 (medium): Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated…
CVE-2026-0531 — CVSS 6.5 (medium): Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana Fleet can lead to Excessive Allocation (CAPEC-130) via a specially…
CVE-2026-0543 — CVSS 6.5 (medium): Improper Input Validation (CWE-20) in Kibana's Email Connector can allow an attacker to cause an Excessive Allocation (CAPEC-130) through a…
CVE-2026-26934 — CVSS 6.5 (medium): Improper Validation of Specified Quantity in Input (CWE-1284) in Kibana can allow an authenticated attacker with view-only privileges to…
CVE-2026-26935 — CVSS 6.5 (medium): Improper Input Validation (CWE-20) in the internal Content Connectors search endpoint in Kibana can lead Denial of Service via Input Data…
CVE-2026-26937 — CVSS 6.5 (medium): Uncontrolled Resource Consumption (CWE-400) in the Timelion component in Kibana can lead Denial of Service via Input Data Manipulation…
CVE-2017-8443 — CVSS 6.5 (medium): In Kibana X-Pack security versions prior to 5.4.3 if a Kibana user opens a crafted Kibana URL the result could be a redirect to an…
CVE-2026-56151 — CVSS 6.5 (medium): Improper Input Validation (CWE-20) in Kibana can lead to a denial of service via Input Data Manipulation (CAPEC-153). An authenticated user…
CVE-2019-7618 — CVSS 6.5 (medium): A local file disclosure flaw was found in Elastic Code versions 7.3.0, 7.3.1, and 7.3.2. If a malicious code repository is imported into…
CVE-2026-49095 — CVSS 6.5 (medium): Improper Input Validation (CWE-20) in the Kibana Fleet agent policy management feature can lead to privilege escalation. An authenticated…
CVE-2026-49094 — CVSS 6.5 (medium): Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated…
CVE-2021-22139 — CVSS 6.5 (medium): Kibana versions before 7.12.1 contain a denial of service vulnerability was found in the webhook actions due to a lack of timeout or a…
CVE-2026-49087 — CVSS 6.5 (medium): Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana can lead to a denial of service via Excessive Allocation…
CVE-2026-0530 — CVSS 6.5 (medium): Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana Fleet can lead to Excessive Allocation (CAPEC-130) via a specially…
CVE-2026-42399 — CVSS 6.5 (medium): Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated…
CVE-2022-38778 — CVSS 6.5 (medium): A flaw (CVE-2022-38900) was discovered in one of Kibana’s third party dependencies, that could allow an authenticated user to perform a…
CVE-2024-23446 — CVSS 6.5 (medium): An issue was discovered by Elastic, whereby the Detection Engine Search API does not respect Document-level security (DLS) or Field-level…
CVE-2026-33464 — CVSS 6.5 (medium): Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to a denial of service via Excessive Allocation (CAPEC-130). An…
CVE-2024-37281 — CVSS 6.5 (medium): An issue was discovered in Kibana where a user with Viewer role could cause a Kibana instance to crash by sending a large number of…
CVE-2024-43708 — CVSS 6.5 (medium): An allocation of resources without limits or throttling in Kibana can lead to a crash caused by a specially crafted payload to a number of…
CVE-2024-52972 — CVSS 6.5 (medium): An allocation of resources without limits or throttling in Kibana can lead to a crash caused by a specially crafted request to…
CVE-2024-52973 — CVSS 6.5 (medium): An allocation of resources without limits or throttling in Kibana can lead to a crash caused by a specially crafted request to…
CVE-2024-52974 — CVSS 6.5 (medium): An issue has been identified where a specially crafted request sent to an Observability API could cause the kibana server to crash. A…
CVE-2025-25010 — CVSS 6.5 (medium): Incorrect authorization in Kibana can lead to privilege escalation via the built-in reporting_user role which incorrectly has the ability…
CVE-2026-33459 — CVSS 6.5 (medium): Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated…
CVE-2016-10364 — CVSS 6.5 (medium): With X-Pack installed, Kibana versions 5.0.0 and 5.0.1 were not properly authenticating requests to advanced settings and the short URL…
CVE-2026-26940 — CVSS 6.5 (medium): Improper Validation of Specified Quantity in Input (CWE-1284) in the Timelion visualization plugin in Kibana can lead Denial of Service via…
CVE-2026-26939 — CVSS 6.5 (medium): Missing Authorization (CWE-862) in Kibana’s server-side Detection Rule Management can lead to Unauthorized Endpoint Response Action…
CVE-2025-68389 — CVSS 6.5 (medium): Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana can allow a low-privileged authenticated user to cause Excessive…
CVE-2026-0528 — CVSS 6.5 (medium): Improper Validation of Array Index (CWE-129) exists in Metricbeat can allow an attacker to cause a Denial of Service through Input Data…
CVE-2026-33458 — CVSS 6.3 (medium): Server-Side Request Forgery (CWE-918) in Kibana One Workflow can lead to information disclosure. An authenticated user with workflow…
CVE-2026-49093 — CVSS 6.3 (medium): Server-Side Request Forgery (CWE-918) in Kibana can allow an authenticated user with connector management privileges to bypass the…
CVE-2018-3819 — CVSS 6.1 (medium): The fix in Kibana for ESA-2017-23 was incomplete. With X-Pack security enabled, Kibana versions before 6.1.3 and 5.6.7 have an open…
CVE-2018-3818 — CVSS 6.1 (medium): Kibana versions 5.1.1 to 6.1.2 and 5.6.6 had a cross-site scripting (XSS) vulnerability via the colored fields formatter that could allow…
CVE-2017-8451 — CVSS 6.1 (medium): With X-Pack installed, Kibana versions before 5.3.1 have an open redirect vulnerability on the login page that would enable an attacker to…
CVE-2017-11481 — CVSS 6.1 (medium): Kibana versions prior to 6.0.1 and 5.6.5 had a cross-site scripting (XSS) vulnerability via URL fields that could allow an attacker to…
CVE-2017-11479 — CVSS 6.1 (medium): Kibana versions prior to 5.6.1 had a cross-site scripting (XSS) vulnerability in Timelion that could allow an attacker to obtain sensitive…
CVE-2016-10365 — CVSS 6.1 (medium): Kibana versions before 4.6.3 and 5.0.1 have an open redirect vulnerability that would enable an attacker to craft a link in the Kibana…
CVE-2017-8440 — CVSS 6.1 (medium): Starting in version 5.3.0, Kibana had a cross-site scripting (XSS) vulnerability in the Discover page that could allow an attacker to…
CVE-2025-68387 — CVSS 6.1 (medium): Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an unauthenticated user to embed a…
CVE-2022-38779 — CVSS 6.1 (medium): An open redirect issue was discovered in Kibana that could lead to a user being redirected to an arbitrary website if they use a…
CVE-2022-23713 — CVSS 6.1 (medium): A cross-site-scripting (XSS) vulnerability was discovered in the Vega Charts Kibana integration which could allow arbitrary JavaScript to…
CVE-2022-23710 — CVSS 6.1 (medium): A cross-site-scripting (XSS) vulnerability was discovered in the Data Preview Pane (previously known as Index Pattern Preview Pane) which…
CVE-2021-22141 — CVSS 6.1 (medium): An open redirect flaw was found in Kibana versions before 7.13.0 and 6.8.16. If a logged in user visits a maliciously crafted URL, it could…
CVE-2016-1000220 — CVSS 6.1 (medium): Kibana before 4.5.4 and 4.1.11 are vulnerable to an XSS attack that would allow an attacker to execute arbitrary JavaScript in users'…
CVE-2020-27816 — CVSS 6.1 (medium): The elasticsearch-operator does not validate the namespace where kibana logging resource is created and due to that it is possible to…
CVE-2024-23442 — CVSS 6.1 (medium): An open redirect issue was discovered in Kibana that could lead to a user being redirected to an arbitrary website if they use a…
CVE-2019-7608 — CVSS 6.1 (medium): Kibana versions before 5.6.15 and 6.6.1 had a cross-site scripting (XSS) vulnerability that could allow an attacker to obtain sensitive…
CVE-2016-10366 — CVSS 6.1 (medium): Kibana versions after and including 4.3 and before 4.6.2 are vulnerable to a cross-site scripting (XSS) attack.
CVE-2017-8439 — CVSS 6.1 (medium): Kibana version 5.4.0 was affected by a Cross Site Scripting (XSS) bug in the Time Series Visual Builder. This bug could allow an attacker…
CVE-2017-11482 — CVSS 6.1 (medium): The Kibana fix for CVE-2017-8451 was found to be incomplete. With X-Pack installed, Kibana versions before 6.0.1 and 5.6.5 have an open…
CVE-2018-3821 — CVSS 6.1 (medium): Kibana versions after 5.1.1 and before 5.6.7 and 6.1.3 had a cross-site scripting (XSS) vulnerability in the tag cloud visualization that…
CVE-2018-3830 — CVSS 6.1 (medium): Kibana versions 5.3.0 to 6.4.1 had a cross-site scripting (XSS) vulnerability via the source field formatter that could allow an attacker…
CVE-2018-3820 — CVSS 6.1 (medium): Kibana versions after 6.1.0 and before 6.1.3 had a cross-site scripting (XSS) vulnerability in labs visualizations that could allow an…
CVE-2019-7621 — CVSS 5.4 (medium): Kibana versions before 6.8.6 and 7.5.1 contain a cross site scripting (XSS) flaw in the coordinate and region map visualizations. An…
CVE-2020-7015 — CVSS 5.4 (medium): Kibana versions before 6.8.9 and 7.7.0 contains a stored XSS flaw in the TSVB visualization. An attacker who is able to edit or create a…
CVE-2021-37936 — CVSS 5.4 (medium): It was discovered that Kibana was not sanitizing document fields containing HTML snippets. Using this vulnerability, an attacker with the…
CVE-2022-23707 — CVSS 5.4 (medium): An XSS vulnerability was found in Kibana index patterns. Using this vulnerability, an authenticated user with permissions to create index…
CVE-2024-11390 — CVSS 5.4 (medium): Unrestricted upload of a file with dangerous type in Kibana can lead to arbitrary JavaScript execution in a victim’s browser (XSS) via…
CVE-2025-37732 — CVSS 5.4 (medium): Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an authenticated user to render HTML…
CVE-2026-33463 — CVSS 5.3 (medium): Operation on a Resource after Expiration or Termination (CWE-672) in Kibana can lead to unauthorized information disclosure. A logic error…
CVE-2022-23711 — CVSS 5.3 (medium): A vulnerability in Kibana could expose sensitive information related to Elastic Stack monitoring in the Kibana page source. Elastic Stack…
CVE-2019-7616 — CVSS 4.9 (medium): Kibana versions before 6.8.2 and 7.2.1 contain a server side request forgery (SSRF) flaw in the graphite integration for Timelion…
CVE-2024-23443 — CVSS 4.9 (medium): A high-privileged user, allowed to create custom osquery packs 17 could affect the availability of Kibana by uploading a maliciously…
CVE-2026-26936 — CVSS 4.9 (medium): Inefficient Regular Expression Complexity (CWE-1333) in the AI Inference Anonymization Engine in Kibana can lead Denial of Service via…
CVE-2026-33462 — CVSS 4.6 (medium): A path traversal vulnerability was identified in Kibana's dashboard management functionality. An authenticated user with limited…
CVE-2026-49088 — CVSS 4.4 (medium): Insertion of Sensitive Information into Log File (CWE-532) in Kibana can lead to information disclosure. When the optional application…
CVE-2024-43710 — CVSS 4.3 (medium): A server side request forgery vulnerability was identified in Kibana where the /api/fleet/health_check API could be used to send requests…
CVE-2025-68386 — CVSS 4.3 (medium): Improper Authorization (CWE-285) in Kibana can lead to privilege escalation (CAPEC-233) by allowing an authenticated user to change a…
CVE-2024-37279 — CVSS 4.3 (medium): A flaw was discovered in Kibana, allowing view-only users of alerting to use the run_soon API making the alerting rule run continuously…
CVE-2015-4093 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in Elasticsearch Kibana 4.x before 4.0.3 allows remote attackers to inject arbitrary web script or…
CVE-2025-68422 — CVSS 4.3 (medium): Improper Authorization (CWE-285) in Kibana can lead to privilege escalation (CAPEC-233) by allowing an authenticated user to bypass…
CVE-2022-23709 — CVSS 4.3 (medium): A flaw was discovered in Kibana in which users with Read access to the Uptime feature could modify alerting rules. A user with this…
CVE-2025-25012 — CVSS 4.3 (medium): URL redirection to an untrusted site ('Open Redirect') in Kibana can lead to sending a user to an arbitrary site and server-side request…
CVE-2026-33460 — CVSS 4.3 (medium): Incorrect Authorization (CWE-863) in Kibana can lead to cross-space information disclosure via Privilege Abuse (CAPEC-122). A user with…
CVE-2021-37938 — CVSS 4.3 (medium): It was discovered that on Windows operating systems specifically, Kibana was not validating a user supplied path, which would load .pbf…
CVE-2020-10743 — CVSS 4.3 (medium): It was discovered that OpenShift Container Platform's (OCP) distribution of Kibana could open in an iframe, which made it possible to…
CVE-2025-37734 — CVSS 4.3 (medium): Origin Validation Error in Kibana can lead to Server-Side Request Forgery via a forged Origin HTTP header processed by the Observability AI…
CVE-2025-25016 — CVSS 4.3 (medium): Unrestricted file upload in Kibana allows an authenticated attacker to compromise software integrity by uploading a crafted malicious file…
CVE-2026-42401 — CVSS 4.1 (medium): Improper Neutralization of Input During Web Page Generation (CWE-79) in Kibana can lead to stored HTML injection. A user with write access…
CVE-2021-22136 — CVSS 3.5 (low): In Kibana versions before 7.12.0 and 6.8.15 a flaw in the session timeout was discovered where the xpack.security.session.idleTimeout…
CVE-2021-22151 — CVSS 3.1 (low): It was discovered that Kibana was not validating a user supplied path, which would load .pbf files. Because of this, a malicious user could…
CVE-2021-37939 — CVSS 2.7 (low): It was discovered that Kibana’s JIRA connector & IBM Resilient connector could be used to return HTTP response data on internal hosts…