CVE-2026-33459

>= 8.15.0 and < 8.19.14

Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authe

6.5MEDIUM

CVE-2026-33458

>= 9.3.0 and < 9.3.3

Server-Side Request Forgery (CWE-918) in Kibana One Workflow can lead to information disclosure. An authenticated user with workfl

6.3MEDIUM

CVE-2026-4498

>= 8.0.0 and < 8.19.14

Execution with Unnecessary Privileges (CWE-250) in Kibana’s Fleet plugin debug route handlers can lead reading index data beyond

7.7HIGH

CVE-2026-33461

>= 8.0.0 and < 8.19.14

Incorrect Authorization (CWE-863) in Kibana can lead to information disclosure via Privilege Abuse (CAPEC-122). A user with limite

7.7HIGH

CVE-2026-33460

>= 8.0.0 and < 8.19.14

Incorrect Authorization (CWE-863) in Kibana can lead to cross-space information disclosure via Privilege Abuse (CAPEC-122). A user

4.3MEDIUM

CVE-2026-26940

>= 8.0.0 and < 8.19.13

Improper Validation of Specified Quantity in Input (CWE-1284) in the Timelion visualization plugin in Kibana can lead Denial of Se

6.5MEDIUM

CVE-2026-26939

>= 8.0.0 and < 8.19.12

Missing Authorization (CWE-862) in Kibana’s server-side Detection Rule Management can lead to Unauthorized Endpoint Response Act

6.5MEDIUM

CVE-2026-26938

all versions

Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) exists in Workflows in Kibana which could allow a

8.6HIGH

CVE-2026-26937

>= 8.0.0 and < 8.19.11

Uncontrolled Resource Consumption (CWE-400) in the Timelion component in Kibana can lead Denial of Service via Input Data Manipula

6.5MEDIUM

CVE-2026-26936

>= 8.0.0 and < 8.19.11

Inefficient Regular Expression Complexity (CWE-1333) in the AI Inference Anonymization Engine in Kibana can lead Denial of Service

4.9MEDIUM

CVE-2026-26935

>= 8.4.0 and < 8.19.12

Improper Input Validation (CWE-20) in the internal Content Connectors search endpoint in Kibana can lead Denial of Service via Inp

6.5MEDIUM

CVE-2026-26934

>= 8.18.0 and < 8.19.12

Improper Validation of Specified Quantity in Input (CWE-1284) in Kibana can allow an authenticated attacker with view-only privile

6.5MEDIUM

CVE-2026-0543

>= 7.0.0 and <= 7.17.29

Improper Input Validation (CWE-20) in Kibana's Email Connector can allow an attacker to cause an Excessive Allocation (CAPEC-130)

6.5MEDIUM

CVE-2026-0531

>= 7.10.0 and < 7.17.29

Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana Fleet can lead to Excessive Allocation (CAPEC-130) via a

6.5MEDIUM

CVE-2026-0530

>= 7.10.0 and < 7.17.29

Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana Fleet can lead to Excessive Allocation (CAPEC-130) via a

6.5MEDIUM

CVE-2026-0528

>= 7.0.0 and < 7.17.29

Improper Validation of Array Index (CWE-129) exists in Metricbeat can allow an attacker to cause a Denial of Service through Input

6.5MEDIUM

CVE-2025-68422

>= 7.0.0 and <= 7.17.29

Improper Authorization (CWE-285) in Kibana can lead to privilege escalation (CAPEC-233) by allowing an authenticated user to bypas

4.3MEDIUM

CVE-2025-68389

>= 7.0.0 and <= 7.17.29

Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana can allow a low-privileged authenticated user to cause Ex

6.5MEDIUM

CVE-2025-68387

>= 7.0.0 and <= 7.17.29

Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an unauthenticated user to em

6.1MEDIUM

CVE-2025-68386

>= 7.0.0 and <= 7.17.29

Improper Authorization (CWE-285) in Kibana can lead to privilege escalation (CAPEC-233) by allowing an authenticated user to chang

4.3MEDIUM

CVE-2025-68385

>= 7.0.0 and <= 7.17.29

Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an authenticated user to embe

7.2HIGH

CVE-2025-37732

>= 7.0.0 and <= 7.17.29

Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an authenticated user to rend

5.4MEDIUM

CVE-2025-37734

>= 8.12.0 and < 8.19.7

Origin Validation Error in Kibana can lead to Server-Side Request Forgery via a forged Origin HTTP header processed by the Observa

4.3MEDIUM

CVE-2025-25018

>= 7.0.0 and < 8.18.8

Improper Neutralization of Input During Web Page Generation in Kibana can lead to stored Cross-Site Scripting (XSS)

8.7HIGH

CVE-2025-25017

>= 7.0.0 and < 8.18.8

Improper Neutralization of Input During Web Page Generation in Kibana can lead to Cross-Site Scripting (XSS)

8.2HIGH

CVE-2025-25009

>= 7.0.0 and < 8.18.8

Improper Neutralization of Input During Web Page Generation in Kibana can lead to Stored XSS via case file upload.

8.7HIGH

CVE-2025-25010

>= 9.0.0 and < 9.0.6

Incorrect authorization in Kibana can lead to privilege escalation via the built-in reporting_user role which incorrectly has the

6.5MEDIUM

CVE-2025-25012

>= 7.0.0 and < 7.17.29

URL redirection to an untrusted site ('Open Redirect') in Kibana can lead to sending a user to an arbitrary site and server-side r

4.3MEDIUM

CVE-2024-43706

<= 8.12.0

Improper authorization in Kibana can lead to privilege abuse via a direct HTTP request to a Synthetic monitor endpoint.

7.6HIGH

CVE-2025-25014

>= 8.3.0 and < 8.17.6

A Prototype pollution vulnerability in Kibana leads to arbitrary code execution via crafted HTTP requests to machine learning and

9.1CRITICAL

CVE-2025-25016

>= 7.17.0 and < 7.17.19

Unrestricted file upload in Kibana allows an authenticated attacker to compromise software integrity by uploading a crafted malici

4.3MEDIUM

CVE-2024-11390

>= 7.17.6 and < 7.17.24

Unrestricted upload of a file with dangerous type in Kibana can lead to arbitrary JavaScript execution in a victim’s browser (XS

5.4MEDIUM

CVE-2024-12556

>= 8.16.1 and < 8.16.4

Prototype Pollution in Kibana can lead to code injection via unrestricted file upload combined with path traversal.

8.7HIGH

CVE-2024-52974

>= 7.17.0 and < 7.17.23

An issue has been identified where a specially crafted request sent to an Observability API could cause the kibana server to crash

6.5MEDIUM

CVE-2025-25015

>= 8.15.0 and < 8.16.6

Prototype pollution in Kibana leads to arbitrary code execution via a crafted file upload and specifically crafted HTTP requests.

9.9CRITICAL

CVE-2024-43708

< 7.17.23

An allocation of resources without limits or throttling in Kibana can lead to a crash caused by a specially crafted payload to a n

6.5MEDIUM

CVE-2024-52972

< 7.17.23

An allocation of resources without limits or throttling in Kibana can lead to a crash caused by a specially crafted request to /ap

6.5MEDIUM

CVE-2024-43710

>= 8.7.0 and < 8.15.0

A server side request forgery vulnerability was identified in Kibana where the /api/fleet/health_check API could be used to send r

4.3MEDIUM

CVE-2024-43707

>= 8.7.0 and < 8.15.0

An issue was identified in Kibana where a user without access to Fleet can view Elastic Agent policies that could contain sensitiv

7.7HIGH

CVE-2024-52973

< 7.17.23

An allocation of resources without limits or throttling in Kibana can lead to a crash caused by a specially crafted request to /ap

6.5MEDIUM

CVE-2024-37285

>= 8.10.0 and <= 8.15.0

A deserialization issue in Kibana can lead to arbitrary code execution when Kibana attempts to parse a YAML document containing a

9.1CRITICAL

CVE-2024-37288

all versions

A deserialization issue in Kibana can lead to arbitrary code execution when Kibana attempts to parse a YAML document containing a

9.9CRITICAL

CVE-2024-37287

>= 7.7.0 and < 7.17.23

A flaw allowing arbitrary code execution was discovered in Kibana. An attacker with access to ML and Alerting connector features,

9.1CRITICAL

CVE-2024-37281

>= 7.0.0 and < 7.17.23

An issue was discovered in Kibana where a user with Viewer role could cause a Kibana instance to crash by sending a large number o

6.5MEDIUM

CVE-2024-23443

>= 7.0.0 and < 7.17.22

A high-privileged user, allowed to create custom osquery packs 17 could affect the availability of Kibana by uploading a malicious

4.9MEDIUM

CVE-2024-23442

< 7.17.22

An open redirect issue was discovered in Kibana that could lead to a user being redirected to an arbitrary website if they use a m

6.1MEDIUM

CVE-2024-37279

>= 8.6.3 and < 8.14.0

A flaw was discovered in Kibana, allowing view-only users of alerting to use the run_soon API making the alerting rule run continu

4.3MEDIUM

CVE-2024-23446

>= 8.0.0 and < 8.12.1

An issue was discovered by Elastic, whereby the Detection Engine Search API does not respect Document-level security (DLS) or Fiel

6.5MEDIUM

CVE-2023-46675

>= 7.13.0 and < 7.17.16

An issue was discovered by Elastic whereby sensitive information may be recorded in Kibana logs in the event of an error or in the

8.0HIGH

CVE-2023-46671

>= 8.0.0 and < 8.11.1

An issue was discovered by Elastic whereby sensitive information may be recorded in Kibana logs in the event of an error. Elastic

8.0HIGH

CVE-2021-22151

>= 7.9.0 and <= 7.14.0

It was discovered that Kibana was not validating a user supplied path, which would load .pbf files. Because of this, a malicious u

3.1LOW

CVE-2021-22150

>= 7.10.2 and < 7.14.1

It was discovered that a user with Fleet admin permissions could upload a malicious package. Due to using an older version of the

6.6MEDIUM

CVE-2021-22142

>= 7.0.0 and < 7.13.0

Kibana contains an embedded version of the Chromium browser that the Reporting feature uses to generate the downloadable reports.

6.6MEDIUM

CVE-2023-31422

all versions

An issue was discovered by Elastic whereby sensitive information is recorded in Kibana logs in the event of an error. The issue im

9.0CRITICAL

CVE-2023-31415

all versions

Kibana version 8.7.0 contains an arbitrary code execution flaw. An attacker with All privileges to the Uptime/Synthetics feature c

8.8HIGH

CVE-2023-31414

>= 8.0.0 and <= 8.7.0

Kibana versions 8.0.0 through 8.7.0 contain an arbitrary code execution flaw. An attacker with write access to Kibana yaml or env

8.8HIGH

CVE-2022-38779

>= 7.0.0 and < 7.17.9

An open redirect issue was discovered in Kibana that could lead to a user being redirected to an arbitrary website if they use a m

6.1MEDIUM

CVE-2022-38778

>= 7.0.0 and < 7.17.9

A flaw (CVE-2022-38900) was discovered in one of Kibana’s third party dependencies, that could allow an authenticated user to pe

6.5MEDIUM

CVE-2021-37936

< 7.14.1

It was discovered that Kibana was not sanitizing document fields containing HTML snippets. Using this vulnerability, an attacker w

5.4MEDIUM

CVE-2021-22141

< 6.8.16

An open redirect flaw was found in Kibana versions before 7.13.0 and 6.8.16. If a logged in user visits a maliciously crafted URL,

6.1MEDIUM

CVE-2022-23713

>= 7.0.0 and < 7.17.5

A cross-site-scripting (XSS) vulnerability was discovered in the Vega Charts Kibana integration which could allow arbitrary JavaSc

6.1MEDIUM

CVE-2022-23711

>= 7.2.1 and < 7.17.3

A vulnerability in Kibana could expose sensitive information related to Elastic Stack monitoring in the Kibana page source. Elasti

5.3MEDIUM

CVE-2022-23710

>= 7.15.0 and <= 7.17.0

A cross-site-scripting (XSS) vulnerability was discovered in the Data Preview Pane (previously known as Index Pattern Preview Pane

6.1MEDIUM

CVE-2022-23709

>= 7.7.0 and < 7.17.1

A flaw was discovered in Kibana in which users with Read access to the Uptime feature could modify alerting rules. A user with thi

4.3MEDIUM

CVE-2022-23707

>= 7.5.1 and < 7.17.0

An XSS vulnerability was found in Kibana index patterns. Using this vulnerability, an authenticated user with permissions to creat

5.4MEDIUM

CVE-2021-37939

>= 7.8.0 and < 7.15.2

It was discovered that Kibana’s JIRA connector & IBM Resilient connector could be used to return HTTP response data on internal

2.7LOW

CVE-2021-37938

>= 7.9.0 and < 7.15.2

It was discovered that on Windows operating systems specifically, Kibana was not validating a user supplied path, which would load

4.3MEDIUM

CVE-2020-10743

all versions

It was discovered that OpenShift Container Platform's (OCP) distribution of Kibana could open in an iframe, which made it possible

4.3MEDIUM

CVE-2021-22139

< 7.12.1

Kibana versions before 7.12.1 contain a denial of service vulnerability was found in the webhook actions due to a lack of timeout

6.5MEDIUM

CVE-2021-22136

< 6.8.15

In Kibana versions before 7.12.0 and 6.8.15 a flaw in the session timeout was discovered where the xpack.security.session.idleTime

3.5LOW

CVE-2020-27816

<= 4.7

The elasticsearch-operator does not validate the namespace where kibana logging resource is created and due to that it is possible

6.1MEDIUM

CVE-2020-7017

< 6.8.11

In Kibana versions before 6.8.11 and 7.8.1 the region map visualization in contains a stored XSS flaw. An attacker who is able to

6.7MEDIUM

CVE-2020-7016

< 6.8.11

Kibana versions before 6.8.11 and 7.8.1 contain a denial of service (DoS) flaw in Timelion. An attacker can construct a URL that w

4.8MEDIUM

CVE-2020-7015

< 6.8.10

Kibana versions before 6.8.9 and 7.7.0 contains a stored XSS flaw in the TSVB visualization. An attacker who is able to edit or cr

5.4MEDIUM

CVE-2020-7013

< 6.8.9

Kibana versions before 6.8.9 and 7.7.0 contain a prototype pollution flaw in TSVB. An authenticated attacker with privileges to cr

7.2HIGH

CVE-2020-7012

>= 6.7.0 and <= 6.8.8

Kibana versions 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2 contain a prototype pollution flaw in the Upgrade Assistant. An authenticated at

8.8HIGH

CVE-2019-7621

< 6.8.6

Kibana versions before 6.8.6 and 7.5.1 contain a cross site scripting (XSS) flaw in the coordinate and region map visualizations.

5.4MEDIUM

CVE-2019-7618

all versions

A local file disclosure flaw was found in Elastic Code versions 7.3.0, 7.3.1, and 7.3.2. If a malicious code repository is importe

6.5MEDIUM

CVE-2019-7616

< 6.8.2

Kibana versions before 6.8.2 and 7.2.1 contain a server side request forgery (SSRF) flaw in the graphite integration for Timelion

4.9MEDIUM

CVE-2019-7610

< 5.6.15

Kibana versions before 6.6.1 contain an arbitrary code execution flaw in the security audit logger. If a Kibana instance has the s

9.0CRITICAL

CVE-2019-7609

< 5.6.15

Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with acce

10.0CRITICAL

CVE-2019-7608

< 5.6.15

Kibana versions before 5.6.15 and 6.6.1 had a cross-site scripting (XSS) vulnerability that could allow an attacker to obtain sens

6.1MEDIUM

CVE-2018-17246

>= 5.0.0 and < 5.6.13

Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. An attacker with access to

9.8CRITICAL

CVE-2018-17245

>= 4.0.0 and <= 4.6.0

Kibana versions 4.0 to 4.6, 5.0 to 5.6.12, and 6.0 to 6.4.2 contain an error in the way authorization credentials are used when ge

9.8CRITICAL

CVE-2018-3830

>= 5.3.0 and <= 6.4.1

Kibana versions 5.3.0 to 6.4.1 had a cross-site scripting (XSS) vulnerability via the source field formatter that could allow an a

6.1MEDIUM

CVE-2018-3821

> 5.1.1 and < 5.6.7

Kibana versions after 5.1.1 and before 5.6.7 and 6.1.3 had a cross-site scripting (XSS) vulnerability in the tag cloud visualizati

6.1MEDIUM

CVE-2018-3820

> 6.1.0 and < 6.1.3

Kibana versions after 6.1.0 and before 6.1.3 had a cross-site scripting (XSS) vulnerability in labs visualizations that could allo

6.1MEDIUM

CVE-2018-3819

< 5.6.7

The fix in Kibana for ESA-2017-23 was incomplete. With X-Pack security enabled, Kibana versions before 6.1.3 and 5.6.7 have an ope

6.1MEDIUM

CVE-2018-3818

>= 5.1.1 and <= 6.1.2

Kibana versions 5.1.1 to 6.1.2 and 5.6.6 had a cross-site scripting (XSS) vulnerability via the colored fields formatter that coul

6.1MEDIUM

CVE-2017-11482

all versions

The Kibana fix for CVE-2017-8451 was found to be incomplete. With X-Pack installed, Kibana versions before 6.0.1 and 5.6.5 have an

6.1MEDIUM

CVE-2017-11481

all versions

Kibana versions prior to 6.0.1 and 5.6.5 had a cross-site scripting (XSS) vulnerability via URL fields that could allow an attacke

6.1MEDIUM

CVE-2017-11479

all versions

Kibana versions prior to 5.6.1 had a cross-site scripting (XSS) vulnerability in Timelion that could allow an attacker to obtain s

6.1MEDIUM

CVE-2017-8443

<= 5.4.2

In Kibana X-Pack security versions prior to 5.4.3 if a Kibana user opens a crafted Kibana URL the result could be a redirect to an

6.5MEDIUM

CVE-2017-8452

<= 5.2.0

Kibana versions prior to 5.2.1 configured for SSL client access, file descriptors will fail to be cleaned up after certain request

7.5HIGH

CVE-2017-8451

<= 5.3.0

With X-Pack installed, Kibana versions before 5.3.1 have an open redirect vulnerability on the login page that would enable an att

6.1MEDIUM

CVE-2016-10366

all versions

Kibana versions after and including 4.3 and before 4.6.2 are vulnerable to a cross-site scripting (XSS) attack.

6.1MEDIUM

CVE-2016-10365

<= 4.6.2

Kibana versions before 4.6.3 and 5.0.1 have an open redirect vulnerability that would enable an attacker to craft a link in the Ki

6.1MEDIUM

CVE-2016-10364

all versions

With X-Pack installed, Kibana versions 5.0.0 and 5.0.1 were not properly authenticating requests to advanced settings and the shor

6.5MEDIUM

CVE-2016-1000220

>= 4.1.0 and < 4.1.11

Kibana before 4.5.4 and 4.1.11 are vulnerable to an XSS attack that would allow an attacker to execute arbitrary JavaScript in use

6.1MEDIUM

CVE-2016-1000219

>= 4.1.0 and < 4.1.11

Kibana before 4.5.4 and 4.1.11 when a custom output is configured for logging in, cookies and authorization headers could be writt

7.5HIGH

CVE-2015-9056

>= 4.1.0 and < 4.1.3

Kibana versions prior to 4.1.3 and 4.2.1 are vulnerable to a XSS attack.

6.1MEDIUM

CVE-2017-8440

all versions

Starting in version 5.3.0, Kibana had a cross-site scripting (XSS) vulnerability in the Discover page that could allow an attacker

6.1MEDIUM

CVE-2017-8439

all versions

Kibana version 5.4.0 was affected by a Cross Site Scripting (XSS) bug in the Time Series Visual Builder. This bug could allow an a

6.1MEDIUM

CVE-2015-8131

<= 4.1.2

Cross-site request forgery (CSRF) vulnerability in Elasticsearch Kibana before 4.1.3 and 4.2.x before 4.2.1 allows remote attacker

CVE-2015-4093

all versions

Cross-site scripting (XSS) vulnerability in Elasticsearch Kibana 4.x before 4.0.3 allows remote attackers to inject arbitrary web