CVSS: 9.1EPSS: 0%CPEs: 3EXPL: 1CVE-2025-25014 – Kibana arbitrary code execution via prototype pollution
https://notcve.org/view.php?id=CVE-2025-25014
06 May 2025 — A Prototype pollution vulnerability in Kibana leads to arbitrary code execution via crafted HTTP requests to machine learning and reporting endpoints. • https://github.com/Sratet/CVE-2025-25014 • CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-11390 – Kibana Unrestricted Upload of File with Dangerous Type Can Lead to XSS
https://notcve.org/view.php?id=CVE-2024-11390
01 May 2025 — Unrestricted upload of a file with dangerous type in Kibana can lead to arbitrary JavaScript execution in a victim’s browser (XSS) via crafted HTML and JavaScript files. The attacker must have access to the Synthetics app AND/OR have access to write to the synthetics indices. • https://discuss.elastic.co/t/kibana-7-17-24-and-8-12-0-security-update-esa-2024-20/377712 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2025-25016 – Kibana Unrestricted Upload of File
https://notcve.org/view.php?id=CVE-2025-25016
01 May 2025 — Unrestricted file upload in Kibana allows an authenticated attacker to compromise software integrity by uploading a crafted malicious file due to insufficient server-side validation. • https://discuss.elastic.co/t/kibana-7-17-19-and-8-13-0-security-update-esa-2024-47/377711 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-52974
https://notcve.org/view.php?id=CVE-2024-52974
08 Apr 2025 — An issue has been identified where a specially crafted request sent to an Observability API could cause the kibana server to crash. A successful attack requires a malicious user to have read permissions for Observability assigned to them. • https://discuss.elastic.co/t/kibana-7-17-23-and-8-15-1-security-update-esa-2024-36/376923 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-43708
https://notcve.org/view.php?id=CVE-2024-43708
23 Jan 2025 — An allocation of resources without limits or throttling in Kibana can lead to a crash caused by a specially crafted payload to a number of inputs in Kibana UI. This can be carried out by users with read access to any feature in Kibana. Una asignación de recursos sin límites ni limitaciones en Kibana puede provocar un bloqueo causado por un payload especialmente manipulado para una serie de entradas en la interfaz de usuario de Kibana. Esto lo pueden llevar a cabo los usuarios con acceso de lectura a cualqui... • https://discuss.elastic.co/t/kibana-7-17-23-8-15-0-security-updates-esa-2024-32-esa-2024-33/373548 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-52972 – Kibana allocation of resources without limits or throttling leads to crash
https://notcve.org/view.php?id=CVE-2024-52972
23 Jan 2025 — An allocation of resources without limits or throttling in Kibana can lead to a crash caused by a specially crafted request to /api/metrics/snapshot. This can be carried out by users with read access to the Observability Metrics or Logs features in Kibana. • https://discuss.elastic.co/t/kibana-7-17-23-8-15-0-security-updates-esa-2024-32-esa-2024-33/373548 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.7EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43707 – Kibana exposure of sensitive information to an unauthorized actor
https://notcve.org/view.php?id=CVE-2024-43707
23 Jan 2025 — An issue was identified in Kibana where a user without access to Fleet can view Elastic Agent policies that could contain sensitive information. The nature of the sensitive information depends on the integrations enabled for the Elastic Agent and their respective versions. • https://discuss.elastic.co/t/kibana-8-15-0-security-update-esa-2024-29-esa-2024-30/373521 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43710 – Kibana server-side request forgery
https://notcve.org/view.php?id=CVE-2024-43710
23 Jan 2025 — A server side request forgery vulnerability was identified in Kibana where the /api/fleet/health_check API could be used to send requests to internal endpoints. Due to the nature of the underlying request, only endpoints available over https that return JSON could be accessed. This can be carried out by users with read access to Fleet. • https://discuss.elastic.co/t/kibana-8-15-0-security-update-esa-2024-29-esa-2024-30/373521 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-52973 – Kibana allocation of resources without limits or throttling leads to crash
https://notcve.org/view.php?id=CVE-2024-52973
21 Jan 2025 — An allocation of resources without limits or throttling in Kibana can lead to a crash caused by a specially crafted request to /api/log_entries/summary. This can be carried out by users with read access to the Observability-Logs feature in Kibana. • https://discuss.elastic.co/t/kibana-7-17-23-and-8-14-2-security-update-esa-2024-26/373443 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37285 – Kibana arbitrary code execution via YAML deserialization
https://notcve.org/view.php?id=CVE-2024-37285
14 Nov 2024 — A deserialization issue in Kibana can lead to arbitrary code execution when Kibana attempts to parse a YAML document containing a crafted payload. A successful attack requires a malicious user to have a combination of both specific Elasticsearch indices privileges https://www.elastic.co/guide/en/elasticsearch/reference/current/defining-roles.html#roles-indices-priv and Kibana privileges https://www.elastic.co/guide/en/fleet/current/fleet-roles-and-privileges.html assigned to them. The following Elasticsearc... • https://discuss.elastic.co/t/kibana-8-15-1-security-update-esa-2024-27-esa-2024-28/366119 • CWE-502: Deserialization of Untrusted Data •