CVSS: 6.8EPSS: %CPEs: 2EXPL: 0CVE-2025-25010 – Kibana privilege escalation via reporting_user role
https://notcve.org/view.php?id=CVE-2025-25010
28 Aug 2025 — Incorrect authorization in Kibana can lead to privilege escalation via the built-in reporting_user role which incorrectly has the ability to access all Kibana Spaces. Incorrect authorization in Kibana can lead to privilege escalation via the built-in reporting_user role which incorrectly has the ability to access all Kibana Spaces. • https://discuss.elastic.co/t/kibana-9-0-6-9-1-3-security-update-esa-2025-13/381426 • CWE-863: Incorrect Authorization •
CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 0CVE-2025-25012 – Kibana Open Redirect
https://notcve.org/view.php?id=CVE-2025-25012
25 Jun 2025 — URL redirection to an untrusted site ('Open Redirect') in Kibana can lead to sending a user to an arbitrary site and server-side request forgery via a specially crafted URL. • https://discuss.elastic.co/t/kibana-7-17-29-8-17-8-8-18-3-9-0-3-security-update-esa-2025-10/379444 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 8.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43706 – Kibana Improper Authorization
https://notcve.org/view.php?id=CVE-2024-43706
10 Jun 2025 — Improper authorization in Kibana can lead to privilege abuse via a direct HTTP request to a Synthetic monitor endpoint. • https://discuss.elastic.co/t/kibana-8-12-1-security-update-esa-2024-21/379064 • CWE-285: Improper Authorization •
CVSS: 9.1EPSS: 0%CPEs: 3EXPL: 3CVE-2025-25014 – Kibana arbitrary code execution via prototype pollution
https://notcve.org/view.php?id=CVE-2025-25014
06 May 2025 — A Prototype pollution vulnerability in Kibana leads to arbitrary code execution via crafted HTTP requests to machine learning and reporting endpoints. • https://github.com/Sratet/CVE-2025-25014 • CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-11390 – Kibana Unrestricted Upload of File with Dangerous Type Can Lead to XSS
https://notcve.org/view.php?id=CVE-2024-11390
01 May 2025 — Unrestricted upload of a file with dangerous type in Kibana can lead to arbitrary JavaScript execution in a victim’s browser (XSS) via crafted HTML and JavaScript files. The attacker must have access to the Synthetics app AND/OR have access to write to the synthetics indices. • https://discuss.elastic.co/t/kibana-7-17-24-and-8-12-0-security-update-esa-2024-20/377712 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2025-25016 – Kibana Unrestricted Upload of File
https://notcve.org/view.php?id=CVE-2025-25016
01 May 2025 — Unrestricted file upload in Kibana allows an authenticated attacker to compromise software integrity by uploading a crafted malicious file due to insufficient server-side validation. • https://discuss.elastic.co/t/kibana-7-17-19-and-8-13-0-security-update-esa-2024-47/377711 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.7EPSS: 0%CPEs: 1EXPL: 0CVE-2024-12556 – Kibana Prototype Pollution can lead to code injection
https://notcve.org/view.php?id=CVE-2024-12556
08 Apr 2025 — Prototype Pollution in Kibana can lead to code injection via unrestricted file upload combined with path traversal. • https://discuss.elastic.co/t/kibana-8-16-4-and-8-17-2-security-update-esa-2025-02/376918 • CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-52974
https://notcve.org/view.php?id=CVE-2024-52974
08 Apr 2025 — An issue has been identified where a specially crafted request sent to an Observability API could cause the kibana server to crash. A successful attack requires a malicious user to have read permissions for Observability assigned to them. • https://discuss.elastic.co/t/kibana-7-17-23-and-8-15-1-security-update-esa-2024-36/376923 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 9.9EPSS: 0%CPEs: 2EXPL: 0CVE-2025-25015 – Kibana arbitrary code execution via prototype pollution
https://notcve.org/view.php?id=CVE-2025-25015
05 Mar 2025 — Prototype pollution in Kibana leads to arbitrary code execution via a crafted file upload and specifically crafted HTTP requests. In Kibana versions >= 8.15.0 and < 8.17.1, this is exploitable by users with the Viewer role. In Kibana versions 8.17.1 and 8.17.2 , this is only exploitable by users that have roles that contain all the following privileges: fleet-all, integrations-all, actions:execute-advanced-connectors La contaminación de prototipos en Kibana conduce a la ejecución de código arbitrario a trav... • https://discuss.elastic.co/t/kibana-8-17-3-security-update-esa-2025-06/375441 • CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-43708
https://notcve.org/view.php?id=CVE-2024-43708
23 Jan 2025 — An allocation of resources without limits or throttling in Kibana can lead to a crash caused by a specially crafted payload to a number of inputs in Kibana UI. This can be carried out by users with read access to any feature in Kibana. Una asignación de recursos sin límites ni limitaciones en Kibana puede provocar un bloqueo causado por un payload especialmente manipulado para una serie de entradas en la interfaz de usuario de Kibana. Esto lo pueden llevar a cabo los usuarios con acceso de lectura a cualqui... • https://discuss.elastic.co/t/kibana-7-17-23-8-15-0-security-updates-esa-2024-32-esa-2024-33/373548 • CWE-770: Allocation of Resources Without Limits or Throttling •