CVE-2026-26933

>= 8.0.0 and < 8.19.11

Improper Validation of Array Index (CWE-129) in multiple protocol parser components in Packetbeat can lead Denial of Service via I

5.7MEDIUM

CVE-2026-26932

>= 8.0.0 and < 8.19.11

Improper Validation of Array Index (CWE-129) in the PostgreSQL protocol parser in Packetbeat can lead Denial of Service via Input

5.7MEDIUM

CVE-2025-68390

>= 7.0.0 and <= 7.17.29

Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can allow an authenticated user with snapshot rest

4.9MEDIUM

CVE-2025-68388

>= 8.6.0 and < 8.19.9

Allocation of resources without limits or throttling (CWE-770) allows an unauthenticated remote attacker to cause excessive alloca

5.3MEDIUM

CVE-2025-68384

>= 7.0.0 and <= 7.17.29

Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can allow a low-privileged authenticated user to c

6.5MEDIUM

CVE-2025-68382

>= 7.0.0 and <= 7.17.29

Out-of-bounds read (CWE-125) allows an unauthenticated remote attacker to perform a buffer overflow (CAPEC-100) via the NFS protoc

6.5MEDIUM

CVE-2025-68381

>= 7.0.0 and <= 7.17.29

Improper Bounds Check (CWE-787) in Packetbeat can allow a remote unauthenticated attacker to exploit a Buffer Overflow (CAPEC-100)

6.5MEDIUM

CVE-2025-37731

>= 7.0.0 and <= 7.17.29

Improper Authentication in Elasticsearch PKI realm can lead to user impersonation via specially crafted client certificates. A mal

6.8MEDIUM

CVE-2025-37727

>= 7.0.0 and <= 7.17.29

Insertion of sensitive information in log file in Elasticsearch can lead to loss of confidentiality under specific preconditions w

5.7MEDIUM

CVE-2024-52979

< 7.17.25

Uncontrolled Resource Consumption in Elasticsearch while evaluating specifically crafted search templates with Mustache functions

6.5MEDIUM

CVE-2024-52981

>= 7.17.0 and < 7.17.24

An issue was discovered in Elasticsearch, where a large recursion using the Well-KnownText formatted string with nested GeometryCo

4.9MEDIUM

CVE-2024-52980

>= 7.17.0 and < 8.15.1

A flaw was discovered in Elasticsearch, where a large recursion using the innerForbidCircularReferences function of the PatternBan

6.5MEDIUM

CVE-2024-43709

>= 7.17.0 and < 7.17.21

An allocation of resources without limits or throttling in Elasticsearch can lead to an OutOfMemoryError exception resulting in a

6.5MEDIUM

CVE-2024-12539

>= 8.16.0 and < 8.16.2

An issue was discovered where improper authorization controls affected certain queries that could allow a malicious actor to circu

6.5MEDIUM

CVE-2024-23444

>= 7.0.0 and < 7.17.23

It was discovered by Elastic engineering that when elasticsearch-certutil CLI tool is used with the csr option in order to create

4.9MEDIUM

CVE-2023-49921

>= 7.0.0 and < 7.17.16

An issue was discovered by Elastic whereby Watcher search input logged the search query results on DEBUG log level. This could lea

5.2MEDIUM

CVE-2024-37280

>= 8.13.1 and < 8.14.0

A flaw was discovered in Elasticsearch, affecting document ingestion when an index template contains a dynamic field mapping of �

4.9MEDIUM

CVE-2024-23445

>= 8.10.0 and < 8.14.0

It was identified that if a cross-cluster API key https://www.elastic.co/guide/en/elasticsearch/reference/8.14/security-api-creat

6.5MEDIUM

CVE-2024-23449

>= 8.4.0 and < 8.11.1

An uncaught exception in Elasticsearch >= 8.4.0 and < 8.11.1 occurs when an encrypted PDF is passed to an attachment processor thr

4.3MEDIUM

CVE-2024-23451

>= 8.10.0 and < 8.13.0

Incorrect Authorization issue exists in the API key based security model for Remote Cluster Security, which is currently in Beta,

4.4MEDIUM

CVE-2024-23450

>= 7.0.0 and < 7.17.19

A flaw was discovered in Elasticsearch, where processing a document in a deeply nested pipeline on an ingest node could cause the

4.9MEDIUM

CVE-2023-46674

< 7.17.11

An issue was identified that allowed the unsafe deserialization of java objects from hadoop or spark configuration properties that

6.0MEDIUM

CVE-2023-46673

>= 7.0.0 and < 7.17.14

It was identified that malformed scripts used in the script processor of an Ingest Pipeline could cause an Elasticsearch node to c

6.5MEDIUM

CVE-2021-37937

>= 7.13.0 and <= 7.14.0

An issue was found with how API keys are created with the Fleet-Server service account. When an API key is created with a service

5.9MEDIUM

CVE-2023-31419

>= 7.0.0 and <= 7.17.12

A flaw was discovered in Elasticsearch, affecting the _search API that allowed a specially crafted query string to cause a Stack O

6.5MEDIUM

CVE-2023-31418

<= 7.17.12

An issue has been identified with how Elasticsearch handled incoming requests on the HTTP layer. An unauthenticated user could for

7.5HIGH

CVE-2023-31417

>= 7.0.0 and <= 7.17.12

Elasticsearch generally filters out sensitive information and credentials before logging to the audit log. It was found that this

4.1MEDIUM

CVE-2022-23712

>= 8.0.0 and < 8.2.1

A Denial of Service flaw was discovered in Elasticsearch. Using this vulnerability, an unauthenticated attacker could forcibly shu

7.5HIGH

CVE-2022-23708

>= 7.16.0 and < 7.17.1

A flaw was discovered in Elasticsearch 7.17.0’s upgrade assistant, in which upgrading from version 6.x to 7.x would disable the

4.3MEDIUM

CVE-2021-22147

>= 7.11.0 and < 7.14.0

Elasticsearch before 7.14.0 did not apply document and field level security to searchable snapshots. This could lead to an authent

6.5MEDIUM

CVE-2021-22144

< 6.8.17

In Elasticsearch versions before 7.13.3 and 6.8.17 an uncontrolled recursion vulnerability that could lead to a denial of service

6.5MEDIUM

CVE-2021-22146

all versions

All versions of Elastic Cloud Enterprise has the Elasticsearch “anonymous” user enabled by default in deployed clusters. While

7.5HIGH

CVE-2021-22145

>= 7.10.0 and <= 7.13.3

A memory disclosure vulnerability was identified in Elasticsearch 7.10.0 to 7.13.3 error reporting. A user with the ability to sub

6.5MEDIUM

CVE-2021-22137

< 6.8.15

In Elasticsearch versions before 7.11.2 and 6.8.15 a document disclosure flaw was found when Document or Field Level Security is u

5.3MEDIUM

CVE-2021-22135

< 6.8.15

Elasticsearch versions before 7.11.2 and 6.8.15 contain a document disclosure flaw was found in the Elasticsearch suggester and pr

5.3MEDIUM

CVE-2021-22134

>= 7.6.0 and <= 7.11.0

A document disclosure flaw was found in Elasticsearch versions after 7.6.0 and before 7.11.0 when Document or Field Level Security

4.3MEDIUM

CVE-2020-7021

< 6.8.14

Elasticsearch versions before 7.10.0 and 6.8.14 have an information disclosure issue when audit logging and the emit_request_body

4.9MEDIUM

CVE-2021-22132

>= 7.7.0 and < 7.10.2

Elasticsearch versions 7.7.0 to 7.10.1 contain an information disclosure flaw in the async search API. Users who execute an async

4.8MEDIUM

CVE-2020-7020

< 6.8.13

Elasticsearch versions before 6.8.13 and 7.9.2 contain a document disclosure flaw when Document or Field Level Security is used. S

3.1LOW

CVE-2020-7019

< 6.8.12

In Elasticsearch before 7.9.0 and 6.8.12 a field disclosure flaw was found when running a scrolling search with Field Level Securi

6.5MEDIUM

CVE-2020-7017

< 6.8.11

In Kibana versions before 6.8.11 and 7.8.1 the region map visualization in contains a stored XSS flaw. An attacker who is able to

6.7MEDIUM

CVE-2020-7016

< 6.8.11

Kibana versions before 6.8.11 and 7.8.1 contain a denial of service (DoS) flaw in Timelion. An attacker can construct a URL that w

4.8MEDIUM

CVE-2020-7014

>= 6.7.0 and <= 6.8.7

The fix for CVE-2020-7009 was found to be incomplete. Elasticsearch versions from 6.7.0 to 6.8.7 and 7.0.0 to 7.6.1 contain a priv

8.8HIGH

CVE-2020-7009

>= 6.7.0 and < 6.8.8

Elasticsearch versions from 6.7.0 before 6.8.8 and 7.0.0 before 7.6.2 contain a privilege escalation flaw if an attacker is able t

8.8HIGH

CVE-2019-7619

>= 6.7.0 and <= 6.8.3

Elasticsearch versions 7.0.0-7.3.2 and 6.7.0-6.8.3 contain a username disclosure flaw was found in the API Key service. An unauthe

5.3MEDIUM

CVE-2019-3800

< 2.1.2

CF CLI version prior to v6.45.0 (bosh release version 1.16.0) writes the client id and secret to its config file when the user aut

6.3MEDIUM

CVE-2019-7614

< 6.8.2

A race condition flaw was found in the response headers Elasticsearch versions before 7.2.1 and 6.8.2 returns to a request. On a s

5.9MEDIUM

CVE-2019-7611

< 5.6.15

A permission issue was found in Elasticsearch versions before 5.6.15 and 6.6.1 when Field Level Security and Document Level Securi

8.1HIGH

CVE-2018-17247

all versions

Elasticsearch Security versions 6.5.0 and 6.5.1 contain an XXE flaw in Machine Learning's find_file_structure API. If a policy all

5.9MEDIUM

CVE-2018-17244

>= 6.4.0 and <= 6.4.2

Elasticsearch Security versions 6.4.0 to 6.4.2 contain an error in the way request headers are applied to requests when using the

6.5MEDIUM

CVE-2018-3831

>= 5.6.0 and < 5.6.12

Elasticsearch Alerting and Monitoring in versions before 6.4.1 or 5.6.12 have an information disclosure issue when secrets are con

8.8HIGH

CVE-2018-3826

>= 6.0.0 and <= 6.2.4

In Elasticsearch versions 6.0.0-beta1 to 6.2.4 a disclosure flaw was found in the _snapshot API. When the access_key and security_

6.5MEDIUM

CVE-2015-5377

< 1.6.1

Elasticsearch before 1.6.1 allows remote attackers to execute arbitrary code via unspecified vectors involving the transport proto

9.8CRITICAL

CVE-2017-11480

< 5.6.4

Packetbeat versions prior to 5.6.4 are affected by a denial of service flaw in the PostgreSQL protocol handler. If Packetbeat is l

7.5HIGH

CVE-2017-8444

all versions

The client-forwarder in Elastic Cloud Enterprise versions prior to 1.0.2 do not properly encrypt traffic to ZooKeeper. If an attac

5.9MEDIUM

CVE-2017-11479

all versions

Kibana versions prior to 5.6.1 had a cross-site scripting (XSS) vulnerability in Timelion that could allow an attacker to obtain s

6.1MEDIUM

CVE-2017-14730

all versions

The init script in the Gentoo app-admin/logstash-bin package before 5.5.3 and 5.6.x before 5.6.1 has "chown -R" calls for user-wri

7.8HIGH

CVE-2015-5619

all versions

Logstash 1.4.x before 1.4.5 and 1.5.x before 1.5.4 with Lumberjack output or the Logstash forwarder does not validate SSL/TLS cert

5.9MEDIUM

CVE-2015-4165

all versions

The snapshot API in Elasticsearch before 1.6.0 when another application exists on the system that can read Lucene files and execut

7.5HIGH

CVE-2015-5378

all versions

Logstash 1.5.x before 1.5.3 and 1.4.x before 1.4.4 allows remote attackers to read communications between Logstash Forwarder agent

7.5HIGH

CVE-2016-10362

<= 5.0.0

Prior to Logstash version 5.0.1, Elasticsearch Output plugin when updating connections after sniffing, would log to file HTTP basi

6.5MEDIUM

CVE-2015-5531

<= 1.6.0

Directory traversal vulnerability in Elasticsearch before 1.6.1 allows remote attackers to read arbitrary files via unspecified ve

CVE-2015-3337

<= 1.4.4

Directory traversal vulnerability in Elasticsearch before 1.4.5 and 1.5.x before 1.5.2, when a site plugin is enabled, allows remo

CVE-2015-1427

< 1.3.8

The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the sandbox pro

9.8CRITICAL

CVE-2014-6439

<= 1.3.3

Cross-site scripting (XSS) vulnerability in the CORS functionality in Elasticsearch before 1.4.0.Beta1 allows remote attackers to

CVE-2014-3120

< 1.2.0

The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execute arbitrar

8.1HIGH