In Kibana versions 7.0.0-alpha1 and prior, from 8.0.0 up to and including 8.19.7, from 9.0.0 up to and including 9.1.7, from 9.2.0 up to and including 9.2.1 a medium severity vulnerability CVE-2025-68386 was detected. This vulnerability is caused by improper authorization (CWE-285), allowing an authenticated attacker to escalate privileges by changing a document’s sharing type to “global” through a crafted HTTP request, even without the required permissions, thereby making the document visible to all users within the space. To address this issue, users should upgrade Kibana to versions 8.19.8, 9.1.8 and 9.2.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-68386.
Read more Data AnalyticsIn Kibana versions 7.0.0-alpha1 and prior, from 8.0.0 up to and including 8.19.8, from 9.0.0 up to and including 9.1.8, from 9.2.0 up to and including 9.2.2 a high severity vulnerability CVE-2025-68385 was detected. This vulnerability allows authenticated attackers to perform cross-site scripting (XSS) by embedding malicious scripts into content served to users’ web browsers, due to improper neutralization of input during web page generation in a Vega method that bypasses a previous XSS mitigation. To address this issue, users should upgrade Kibana to versions 8.19.9, 9.1.9 and 9.2.3. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-68385.
Read more Data AnalyticsIn Kibana versions 7.0.0-alpha1 and prior, from 8.0.0 up to and including 8.19.6, from 9.0.0 up to and including 9.1.6, and 9.2.0 a medium severity vulnerability CVE-2025-68422 was detected. This vulnerability results from improper authorization (CWE-285) and allows an authenticated user to bypass intended permission restrictions via a crafted HTTP request, enabling access to the list of live queries without having the required live queries – read permission. To address this issue, users should upgrade Kibana to versions 8.19.7, 9.1.7 and 9.2.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-68422.
Read more Data AnalyticsIn Filebeat versions 7.0.0-alpha1 and prior, from 8.0.0 up to and including 8.19.8, from 9.0.0 up to and including 9.1.8, from 9.2.0 up to and including 9.2.2 a medium severity vulnerability CVE-2025-68383 was detected. This vulnerability stems from improper validation of specified index, position, or offset in input (CWE-1285) within the Syslog parser and the Libbeat Dissect processor, allowing a user to trigger a buffer overflow and cause a denial-of-service (panic/crash) of the Filebeat process via a malformed Syslog message or a malicious tokenizer pattern in the Dissect configuration. To address this issue, users should upgrade Filebeat to versions 8.19.9, 9.1.9 and 9.2.3. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-68383.
Read more Data AnalyticsIn Kibana versions 7.0.0-alpha1 and prior, from 8.0.0 up to and including 8.19.8, from 9.0.0 up to and including 9.1.8, from 9.2.0 up to and including 9.2.2 a medium severity vulnerability CVE-2025-68389 was detected. This vulnerability is caused by allocation of resources without limits or throttling (CWE-770), allowing a low-privileged authenticated attacker to trigger excessive resource consumption through a crafted HTTP request, resulting in a denial of service (DoS) of the Kibana process. To address this issue, users should upgrade Kibana to versions 8.19.9, 9.1.9 and 9.2.3. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-68389.
Read more Data AnalyticsIn Kibana versions 7.0.0-alpha1 and prior, from 8.0.0 up to and including 8.19.8, from 9.0.0 up to and including 9.1.8, from 9.2.0 up to and including 9.2.2 a medium severity vulnerability CVE-2025-68387 was detected. This vulnerability stems from improper input neutralization during web page generation (CWE-79) in a Vega AST evaluator function handler, allowing unauthenticated attackers to inject malicious scripts that are served to users’ browsers and execute arbitrary code via cross-site scripting (XSS). To address this issue, users should upgrade Kibana to versions 8.19.9, 9.1.9 and 9.2.3. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-68387.
Read more Data AnalyticsIn Elasticsearch versions 7.0.0-alpha1 and prior, prior to 8.19.8, 9.0.0-beta1 and prior, prior to 9.1.8, 9.2.0 and prior, prior to 9.2.21 a medium severity vulnerability CVE-2025-37731 was detected. This vulnerability allows attackers to impersonate legitimate users through improper authentication in the PKI realm by using specially crafted client certificates signed by a trusted Certificate Authority. To address this issue, users should upgrade Elasticsearch to versions 8.19.8, 9.1.8 or 9.2.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-37731.
Read more Data AnalyticsIn Kibana versions 7.0.0-alpha1 and prior, prior to 8.19.8, 9.0.0-beta1 and prior, prior to 9.1.8, 9.2.0 and prior, prior to 9.2.21 a medium severity vulnerability CVE-2025-37732 was detected. This vulnerability allows an authenticated attacker to perform cross-site scripting (XSS) by rendering arbitrary HTML tags in a user’s browser through the integration package upload functionality, bypassing a previous fix related to ESA-2025-17 (CVE-2025-25018) and enabling HTML injection during web page generation. To address this issue, users should upgrade Kibana to versions 8.19.8, 9.1.8 or 9.2.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-37732.
Read more Data AnalyticsIn MongoDB Server versions before 8.0.16, 7.0.26, and 8.2.2 a low severity vulnerability CVE-2025-14345 was detected. This vulnerability can cause temporary data inconsistencies in cross-shard transactions. To fix this issue, users should upgrade to MongoDB Server versions 8.0.16, 7.0.26 or 8.2.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-14345.
Read more Database