Filtered by vendor Elastic
Subscribe
Total
185 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-25018 | 1 Elastic | 1 Kibana | 2025-10-30 | N/A | 8.7 HIGH |
| Improper Neutralization of Input During Web Page Generation in Kibana can lead to stored Cross-Site Scripting (XSS) | |||||
| CVE-2015-1427 | 2 Elastic, Redhat | 2 Elasticsearch, Fuse | 2025-10-22 | 7.5 HIGH | 9.8 CRITICAL |
| The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands via a crafted script. | |||||
| CVE-2024-52979 | 1 Elastic | 1 Elasticsearch | 2025-10-02 | N/A | 6.5 MEDIUM |
| Uncontrolled Resource Consumption in Elasticsearch while evaluating specifically crafted search templates with Mustache functions can lead to Denial of Service by causing the Elasticsearch node to crash. | |||||
| CVE-2025-25016 | 1 Elastic | 1 Kibana | 2025-10-02 | N/A | 4.3 MEDIUM |
| Unrestricted file upload in Kibana allows an authenticated attacker to compromise software integrity by uploading a crafted malicious file due to insufficient server-side validation. | |||||
| CVE-2025-25014 | 1 Elastic | 1 Kibana | 2025-10-02 | N/A | 9.1 CRITICAL |
| A Prototype pollution vulnerability in Kibana leads to arbitrary code execution via crafted HTTP requests to machine learning and reporting endpoints. | |||||
| CVE-2023-46669 | 1 Elastic | 2 Elastic Agent, Endpoint Security | 2025-10-01 | N/A | 6.2 MEDIUM |
| Exposure of sensitive information to local unauthorized actors in Elastic Agent and Elastic Security Endpoint can lead to loss of confidentiality and impersonation of Endpoint to the Elastic Stack. This issue was identified by Elastic engineers and Elastic has no indication that it is known or has been exploited by malicious actors. | |||||
| CVE-2024-11390 | 1 Elastic | 1 Kibana | 2025-10-01 | N/A | 5.4 MEDIUM |
| Unrestricted upload of a file with dangerous type in Kibana can lead to arbitrary JavaScript execution in a victim’s browser (XSS) via crafted HTML and JavaScript files. The attacker must have access to the Synthetics app AND/OR have access to write to the synthetics indices. | |||||
| CVE-2024-52976 | 1 Elastic | 1 Elastic Agent | 2025-10-01 | N/A | 4.4 MEDIUM |
| Inclusion of functionality from an untrusted control sphere in Elastic Agent subprocess, osqueryd, allows local attackers to execute arbitrary code via parameter injection. An attacker requires local access and the ability to modify osqueryd configurations. | |||||
| CVE-2025-25010 | 1 Elastic | 1 Kibana | 2025-10-01 | N/A | 6.5 MEDIUM |
| Incorrect authorization in Kibana can lead to privilege escalation via the built-in reporting_user role which incorrectly has the ability to access all Kibana Spaces. | |||||
| CVE-2024-43706 | 1 Elastic | 1 Kibana | 2025-10-01 | N/A | 7.6 HIGH |
| Improper authorization in Kibana can lead to privilege abuse via a direct HTTP request to a Synthetic monitor endpoint. | |||||
| CVE-2025-25012 | 1 Elastic | 1 Kibana | 2025-09-30 | N/A | 4.3 MEDIUM |
| URL redirection to an untrusted site ('Open Redirect') in Kibana can lead to sending a user to an arbitrary site and server-side request forgery via a specially crafted URL. | |||||
| CVE-2016-1000218 | 1 Elastic | 1 Kibana Reporting | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
| Kibana Reporting plugin version 2.4.0 is vulnerable to a CSRF vulnerability that could allow an attacker to generate superfluous reports whenever an authenticated Kibana user navigates to a specially-crafted page. | |||||
| CVE-2016-1000222 | 1 Elastic | 1 Logstash | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| Logstash prior to version 2.1.2, the CSV output can be attacked via engineered input that will create malicious formulas in the CSV data. | |||||
| CVE-2016-1000221 | 1 Elastic | 1 Logstash | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| Logstash prior to version 2.3.4, Elasticsearch Output plugin would log to file HTTP authorization headers which could contain sensitive information. | |||||
| CVE-2015-5378 | 2 Elastic, Elasticsearch | 2 Logstash, Logstash | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| Logstash 1.5.x before 1.5.3 and 1.4.x before 1.4.4 allows remote attackers to read communications between Logstash Forwarder agent and Logstash server. | |||||
| CVE-2016-1000220 | 1 Elastic | 1 Kibana | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| Kibana before 4.5.4 and 4.1.11 are vulnerable to an XSS attack that would allow an attacker to execute arbitrary JavaScript in users' browsers. | |||||
| CVE-2015-5619 | 2 Elastic, Elasticsearch | 2 Logstash, Logstash | 2025-04-20 | 4.3 MEDIUM | 5.9 MEDIUM |
| Logstash 1.4.x before 1.4.5 and 1.5.x before 1.5.4 with Lumberjack output or the Logstash forwarder does not validate SSL/TLS certificates from the Logstash server, which might allow attackers to obtain sensitive information via a man-in-the-middle attack. | |||||
| CVE-2016-1000219 | 1 Elastic | 1 Kibana | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| Kibana before 4.5.4 and 4.1.11 when a custom output is configured for logging in, cookies and authorization headers could be written to the log files. This information could be used to hijack sessions of other users when using Kibana behind some form of authentication such as Shield. | |||||
| CVE-2014-4326 | 1 Elastic | 1 Logstash | 2025-04-12 | 7.5 HIGH | N/A |
| Elasticsearch Logstash 1.0.14 through 1.4.x before 1.4.2 allows remote attackers to execute arbitrary commands via a crafted event in (1) zabbix.rb or (2) nagios_nsca.rb in outputs/. | |||||
| CVE-2015-8131 | 1 Elastic | 1 Kibana | 2025-04-12 | 6.8 MEDIUM | N/A |
| Cross-site request forgery (CSRF) vulnerability in Elasticsearch Kibana before 4.1.3 and 4.2.x before 4.2.1 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. | |||||