CVE-2026-42401
MEDIUMImproper Neutralization of Input During Web Page Generation in Kibana Leading to Stored HTML Injection
Title source: cnaDescription
Improper Neutralization of Input During Web Page Generation (CWE-79) in Kibana can lead to stored HTML injection. A user with write access to an Elasticsearch index could persist crafted markup which, when subsequently rendered through an affected Kibana view by another user, was not sufficiently sanitized. Successful exploitation could result in unauthorized UI manipulation and outbound network requests issued from the viewing user's browser session.
References (1)
Core 1
Scores
CVSS v3
4.1
EPSS
0.0014
EPSS Percentile
3.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (3)
Elastic/Kibana
8.0.0 - 8.19.15
elastic/kibana
8.0.0 - 8.19.16
Elastic/Kibana
9.0.0 - 9.3.4
Published
May 28, 2026
Tracked Since
May 29, 2026