elastic
256 tracked vulnerabilities.
CVE-2026-33460
MEDIUM
Incorrect Authorization in Kibana Fleet Leading to Information Disclosure
Apr 08, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-26940
MEDIUM
Improper Validation of Specified Quantity in Input in Kibana Leading to Denial of Service
Mar 19, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-26939
MEDIUM
Missing Authorization in Kibana Leading to Unauthorized Endpoint Response Action Configuration
Mar 19, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-26933
MEDIUM
Improper Validation of Array Index in Packetbeat Leading to Denial of Service
Mar 19, 2026
CVSS 5.7
EPSS 0.00
CVE-2026-26931
MEDIUM
Memory Allocation with Excessive Size Value in Metricbeat Leading to Denial of Service
Mar 19, 2026
CVSS 5.7
EPSS 0.00
CVE-2026-26938
HIGH
Kibana - Authenticated Server-Side Request Forgery and Arbitrary File Read via Workflows Template Injection
Feb 26, 2026
CVSS 8.6
EPSS 0.00
CVE-2026-26937
MEDIUM
Kibana 8.0.0-8.19.11 - Denial of Service via Timelion Input Data Manipulation
Feb 26, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-26936
MEDIUM
Kibana AI Inference Anonymization - DoS
Feb 26, 2026
CVSS 4.9
EPSS 0.00
CVE-2026-26935
MEDIUM
Kibana 8.4.0-8.19.12 - Denial of Service via Content Connectors Search Endpoint
Feb 26, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-26934
MEDIUM
Kibana 8.18.0-8.19.11 - Authenticated Denial of Service via Input Data Manipulation
Feb 26, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-0532
HIGH
Kibana 8.15.0-8.19.8, 9.0.0-9.1.8, 9.2.0-9.2.2 - Authenticated Arbitrary File Read and SSRF via Google Gemini Connector
Jan 14, 2026
CVSS 8.6
EPSS 0.00
CVE-2026-0529
MEDIUM
Packetbeat 7.0.0-7.17.28, 8.0.0-8.19.8, 9.0.0-9.1.8, 9.2.0-9.2.2 - Denial of Service via MongoDB Protocol Parser
Jan 14, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-0543
MEDIUM
Kibana 7.0.0-7.17.29 - Authenticated Denial of Service via Email Connector Address Parameter
Jan 13, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-0531
MEDIUM
Kibana 7.10.0-7.17.29 - Authenticated Denial of Service via Bulk Retrieval Request
Jan 13, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-0530
MEDIUM
Kibana 7.10.0-7.17.29 - Denial of Service via Fleet Resource Exhaustion
Jan 13, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-0528
MEDIUM
Elastic Kibana < 7.17.29 - Improper Array Index Validation
Jan 13, 2026
CVSS 6.5
EPSS 0.00
CVE-2025-68422
MEDIUM
Kibana 7.0.0-7.17.29 - Authenticated Privilege Escalation via Crafted HTTP Request
Dec 18, 2025
CVSS 4.3
EPSS 0.00
CVE-2025-68390
MEDIUM
Elasticsearch 7.0.0-7.17.28 and 8.0.0-8.19.7 - Authenticated Denial of Service via Snapshot Restore Memory Allocation
Dec 18, 2025
CVSS 4.9
EPSS 0.00
CVE-2025-68389
MEDIUM
Kibana 7.0.0-7.17.29 - Authenticated Denial of Service via Resource Exhaustion
Dec 18, 2025
CVSS 6.5
EPSS 0.00
CVE-2025-68387
MEDIUM
Kibana 7.0.0-7.17.29 - Unauthenticated Cross-Site Scripting via Vega AST Evaluator
Dec 18, 2025
CVSS 6.1
EPSS 0.00
CVE-2025-68386
MEDIUM
Kibana 7.0.0-7.17.28 - Authenticated Privilege Escalation via Document Sharing Type Manipulation
Dec 18, 2025
CVSS 4.3
EPSS 0.00
CVE-2025-68385
HIGH
Kibana 7.0.0-7.17.29 - Authenticated Cross-Site Scripting via Vega Method
Dec 18, 2025
CVSS 7.2
EPSS 0.00
CVE-2025-68388
MEDIUM
Packetbeat 8.6.0-8.19.8 & <7.0.0-alpha2 - DoS via Malicious IPv4 Fragments
Dec 18, 2025
CVSS 5.3
EPSS 0.00
CVE-2025-68384
MEDIUM
Elasticsearch 7.0.0-7.17.28 and 8.0.0-8.19.8 - Authenticated Denial of Service via Oversized User Settings Data
Dec 18, 2025
CVSS 6.5
EPSS 0.00
CVE-2025-68383
MEDIUM
Filebeat 7.0.0-7.17.28 and 7.7.0-8.19.8 - Denial of Service via Malformed Syslog Message or Dissect Tokenizer Pattern
Dec 18, 2025
CVSS 6.5
EPSS 0.00
Products
kibana 117
elasticsearch 50
Kibana 32
logstash 13
elastic_cloud_enterprise 9
x-pack 9
beats 7
Elastic X-Pack Security 6
endpoint_security 6
elastic_agent 5
enterprise_search 5
Logstash 4
Elastic Defend 3
Elasticsearch 3
Packetbeat 3
apm_agent 3
apm_server 3
APM Server 2
Fleet Server 2
X-Pack Security 2
apm-server 2
elastic_app_search 2
elastic_beats 2
elastic_cloud_on_kubernetes 2
elasticsearch_x-pack 2
endgame 2
filebeat 2
fleet_server 2
kibana_x-pack 2
logstash_x-pack 2
Quick Filters