Filtered by vendor Elastic
Subscriptions
Total
199 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-37732 | 1 Elastic | 1 Kibana | 2025-12-15 | 5.4 Medium |
| Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an authenticated user to render HTML tags within a user’s browser via the integration package upload functionality. This issue is related to ESA-2025-17 (CVE-2025-25018) bypassing that fix to achieve HTML injection. | ||||
| CVE-2025-37731 | 1 Elastic | 1 Elasticsearch | 2025-12-15 | 6.8 Medium |
| Improper Authentication in Elasticsearch PKI realm can lead to user impersonation via specially crafted client certificates. A malicious actor would need to have such a crafted client certificate signed by a legitimate, trusted Certificate Authority. | ||||
| CVE-2025-37734 | 1 Elastic | 1 Kibana | 2025-12-11 | 4.3 Medium |
| Origin Validation Error in Kibana can lead to Server-Side Request Forgery via a forged Origin HTTP header processed by the Observability AI Assistant. | ||||
| CVE-2025-37736 | 1 Elastic | 1 Elastic Cloud Enterprise | 2025-12-11 | 8.8 High |
| Improper Authorization in Elastic Cloud Enterprise can lead to Privilege Escalation where the built-in readonly user can call APIs that should not be allowed. The list of APIs that are affected by this issue is: post:/platform/configuration/security/service-accounts delete:/platform/configuration/security/service-accounts/{user_id} patch:/platform/configuration/security/service-accounts/{user_id} post:/platform/configuration/security/service-accounts/{user_id}/keys delete:/platform/configuration/security/service-accounts/{user_id}/keys/{api_key_id} patch:/user post:/users post:/users/auth/keys delete:/users/auth/keys delete:/users/auth/keys/_all delete:/users/auth/keys/{api_key_id} delete:/users/{user_id}/auth/keys delete:/users/{user_id}/auth/keys/{api_key_id} delete:/users/{user_name} patch:/users/{user_name} | ||||
| CVE-2025-37729 | 1 Elastic | 1 Elastic Cloud Enterprise | 2025-12-11 | 9.1 Critical |
| Improper neutralization of special elements used in a template engine in Elastic Cloud Enterprise (ECE) can lead to a malicious actor with Admin access exfiltrating sensitive information and issuing commands via a specially crafted string where Jinjava variables are evaluated. | ||||
| CVE-2019-7609 | 2 Elastic, Redhat | 3 Kibana, Openshift, Openshift Container Platform | 2025-11-07 | 9.8 Critical |
| Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system. | ||||
| CVE-2025-37735 | 2 Elastic, Microsoft | 2 Defend, Windows | 2025-11-07 | 7 High |
| Improper preservation of permissions in Elastic Defend on Windows hosts can lead to arbitrary files on the system being deleted by the Defend service running as SYSTEM. In some cases, this could result in local privilege escalation. | ||||
| CVE-2025-25009 | 1 Elastic | 1 Kibana | 2025-10-30 | 8.7 High |
| Improper Neutralization of Input During Web Page Generation in Kibana can lead to Stored XSS via case file upload. | ||||
| CVE-2025-25017 | 1 Elastic | 1 Kibana | 2025-10-30 | 8.2 High |
| Improper Neutralization of Input During Web Page Generation in Kibana can lead to Cross-Site Scripting (XSS) | ||||
| CVE-2025-25018 | 1 Elastic | 1 Kibana | 2025-10-30 | 8.7 High |
| Improper Neutralization of Input During Web Page Generation in Kibana can lead to stored Cross-Site Scripting (XSS) | ||||
| CVE-2015-1427 | 2 Elastic, Redhat | 4 Elasticsearch, Fuse, Jboss Amq and 1 more | 2025-10-22 | 9.8 Critical |
| The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands via a crafted script. | ||||
| CVE-2025-37727 | 1 Elastic | 1 Elasticsearch | 2025-10-20 | 5.7 Medium |
| Insertion of sensitive information in log file in Elasticsearch can lead to loss of confidentiality under specific preconditions when auditing requests to the reindex API https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-reindex | ||||
| CVE-2025-37728 | 1 Elastic | 1 Kibana | 2025-10-08 | 5.4 Medium |
| Insufficiently Protected Credentials in the Crowdstrike connector can lead to Crowdstrike credentials being leaked. A malicious user can access cached credentials from a Crowdstrike connector in another space by creating and running a Crowdstrike connector in a space to which they have access. | ||||
| CVE-2025-25015 | 1 Elastic | 1 Kibana | 2025-10-02 | 9.9 Critical |
| Prototype pollution in Kibana leads to arbitrary code execution via a crafted file upload and specifically crafted HTTP requests. In Kibana versions >= 8.15.0 and < 8.17.1, this is exploitable by users with the Viewer role. In Kibana versions 8.17.1 and 8.17.2 , this is only exploitable by users that have roles that contain all the following privileges: fleet-all, integrations-all, actions:execute-advanced-connectors | ||||
| CVE-2024-52979 | 1 Elastic | 1 Elasticsearch | 2025-10-02 | 6.5 Medium |
| Uncontrolled Resource Consumption in Elasticsearch while evaluating specifically crafted search templates with Mustache functions can lead to Denial of Service by causing the Elasticsearch node to crash. | ||||
| CVE-2025-25016 | 1 Elastic | 1 Kibana | 2025-10-02 | 4.3 Medium |
| Unrestricted file upload in Kibana allows an authenticated attacker to compromise software integrity by uploading a crafted malicious file due to insufficient server-side validation. | ||||
| CVE-2025-25014 | 1 Elastic | 1 Kibana | 2025-10-02 | 9.1 Critical |
| A Prototype pollution vulnerability in Kibana leads to arbitrary code execution via crafted HTTP requests to machine learning and reporting endpoints. | ||||
| CVE-2024-52981 | 1 Elastic | 1 Elasticsearch | 2025-10-02 | 4.9 Medium |
| An issue was discovered in Elasticsearch, where a large recursion using the Well-KnownText formatted string with nested GeometryCollection objects could cause a stackoverflow. | ||||
| CVE-2024-12556 | 1 Elastic | 1 Kibana | 2025-10-02 | 8.7 High |
| Prototype Pollution in Kibana can lead to code injection via unrestricted file upload combined with path traversal. | ||||
| CVE-2023-46669 | 1 Elastic | 2 Elastic Agent, Endpoint Security | 2025-10-01 | 6.2 Medium |
| Exposure of sensitive information to local unauthorized actors in Elastic Agent and Elastic Security Endpoint can lead to loss of confidentiality and impersonation of Endpoint to the Elastic Stack. This issue was identified by Elastic engineers and Elastic has no indication that it is known or has been exploited by malicious actors. | ||||