Filtered by vendor Elastic
Subscriptions
Total
194 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2015-1427 | 2 Elastic, Redhat | 4 Elasticsearch, Fuse, Jboss Amq and 1 more | 2025-10-22 | 9.8 Critical |
| The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands via a crafted script. | ||||
| CVE-2019-7609 | 2 Elastic, Redhat | 3 Kibana, Openshift, Openshift Container Platform | 2025-10-22 | 9.8 Critical |
| Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system. | ||||
| CVE-2025-37729 | 1 Elastic | 1 Elastic Cloud Enterprise | 2025-10-21 | 9.1 Critical |
| Improper neutralization of special elements used in a template engine in Elastic Cloud Enterprise (ECE) can lead to a malicious actor with Admin access exfiltrating sensitive information and issuing commands via a specially crafted string where Jinjava variables are evaluated. | ||||
| CVE-2025-25018 | 1 Elastic | 1 Kibana | 2025-10-20 | 8.7 High |
| Improper Neutralization of Input During Web Page Generation in Kibana can lead to stored Cross-Site Scripting (XSS) | ||||
| CVE-2025-25017 | 1 Elastic | 1 Kibana | 2025-10-20 | 8.2 High |
| Improper Neutralization of Input During Web Page Generation in Kibana can lead to Cross-Site Scripting (XSS) | ||||
| CVE-2025-37727 | 1 Elastic | 1 Elasticsearch | 2025-10-20 | 5.7 Medium |
| Insertion of sensitive information in log file in Elasticsearch can lead to loss of confidentiality under specific preconditions when auditing requests to the reindex API https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-reindex | ||||
| CVE-2025-25009 | 1 Elastic | 1 Kibana | 2025-10-08 | 8.7 High |
| Improper Neutralization of Input During Web Page Generation in Kibana can lead to Stored XSS via case file upload. | ||||
| CVE-2025-37728 | 1 Elastic | 1 Kibana | 2025-10-08 | 5.4 Medium |
| Insufficiently Protected Credentials in the Crowdstrike connector can lead to Crowdstrike credentials being leaked. A malicious user can access cached credentials from a Crowdstrike connector in another space by creating and running a Crowdstrike connector in a space to which they have access. | ||||
| CVE-2025-25015 | 1 Elastic | 1 Kibana | 2025-10-02 | 9.9 Critical |
| Prototype pollution in Kibana leads to arbitrary code execution via a crafted file upload and specifically crafted HTTP requests. In Kibana versions >= 8.15.0 and < 8.17.1, this is exploitable by users with the Viewer role. In Kibana versions 8.17.1 and 8.17.2 , this is only exploitable by users that have roles that contain all the following privileges: fleet-all, integrations-all, actions:execute-advanced-connectors | ||||
| CVE-2024-52979 | 1 Elastic | 1 Elasticsearch | 2025-10-02 | 6.5 Medium |
| Uncontrolled Resource Consumption in Elasticsearch while evaluating specifically crafted search templates with Mustache functions can lead to Denial of Service by causing the Elasticsearch node to crash. | ||||
| CVE-2025-25016 | 1 Elastic | 1 Kibana | 2025-10-02 | 4.3 Medium |
| Unrestricted file upload in Kibana allows an authenticated attacker to compromise software integrity by uploading a crafted malicious file due to insufficient server-side validation. | ||||
| CVE-2025-25014 | 1 Elastic | 1 Kibana | 2025-10-02 | 9.1 Critical |
| A Prototype pollution vulnerability in Kibana leads to arbitrary code execution via crafted HTTP requests to machine learning and reporting endpoints. | ||||
| CVE-2024-52981 | 1 Elastic | 1 Elasticsearch | 2025-10-02 | 4.9 Medium |
| An issue was discovered in Elasticsearch, where a large recursion using the Well-KnownText formatted string with nested GeometryCollection objects could cause a stackoverflow. | ||||
| CVE-2024-12556 | 1 Elastic | 1 Kibana | 2025-10-02 | 8.7 High |
| Prototype Pollution in Kibana can lead to code injection via unrestricted file upload combined with path traversal. | ||||
| CVE-2023-46669 | 1 Elastic | 2 Elastic Agent, Endpoint Security | 2025-10-01 | 6.2 Medium |
| Exposure of sensitive information to local unauthorized actors in Elastic Agent and Elastic Security Endpoint can lead to loss of confidentiality and impersonation of Endpoint to the Elastic Stack. This issue was identified by Elastic engineers and Elastic has no indication that it is known or has been exploited by malicious actors. | ||||
| CVE-2024-11390 | 1 Elastic | 1 Kibana | 2025-10-01 | 5.4 Medium |
| Unrestricted upload of a file with dangerous type in Kibana can lead to arbitrary JavaScript execution in a victim’s browser (XSS) via crafted HTML and JavaScript files. The attacker must have access to the Synthetics app AND/OR have access to write to the synthetics indices. | ||||
| CVE-2024-52976 | 1 Elastic | 1 Elastic Agent | 2025-10-01 | 4.4 Medium |
| Inclusion of functionality from an untrusted control sphere in Elastic Agent subprocess, osqueryd, allows local attackers to execute arbitrary code via parameter injection. An attacker requires local access and the ability to modify osqueryd configurations. | ||||
| CVE-2025-25010 | 1 Elastic | 1 Kibana | 2025-10-01 | 6.5 Medium |
| Incorrect authorization in Kibana can lead to privilege escalation via the built-in reporting_user role which incorrectly has the ability to access all Kibana Spaces. | ||||
| CVE-2024-37285 | 1 Elastic | 1 Kibana | 2025-10-01 | 9.1 Critical |
| A deserialization issue in Kibana can lead to arbitrary code execution when Kibana attempts to parse a YAML document containing a crafted payload. A successful attack requires a malicious user to have a combination of both specific Elasticsearch indices privileges https://www.elastic.co/guide/en/elasticsearch/reference/current/defining-roles.html#roles-indices-priv and Kibana privileges https://www.elastic.co/guide/en/fleet/current/fleet-roles-and-privileges.html assigned to them. The following Elasticsearch indices permissions are required * write privilege on the system indices .kibana_ingest* * The allow_restricted_indices flag is set to true Any of the following Kibana privileges are additionally required * Under Fleet the All privilege is granted * Under Integration the Read or All privilege is granted * Access to the fleet-setup privilege is gained through the Fleet Server’s service account token | ||||
| CVE-2024-43706 | 1 Elastic | 1 Kibana | 2025-10-01 | 7.6 High |
| Improper authorization in Kibana can lead to privilege abuse via a direct HTTP request to a Synthetic monitor endpoint. | ||||