CVE-2025-68387

Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an unauthenticated user to embed a malicious script in content that will be served to web browsers causing cross-site scripting (XSS) (CAPEC-63) via a vulnerability a function handler in the Vega AST evaluator.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://discuss.elastic.co/t/kibana-8-19-9-9-1-9-and-9-2-3-security-update-esa-2025-35/384183	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:elastic:kibana::::::::
	cpe:2.3:a:elastic:kibana::::::::
	cpe:2.3:a:elastic:kibana::::::::
	cpe:2.3:a:elastic:kibana::::::::

History

23 Dec 2025, 19:07

Type	Values Removed	Values Added
First Time		Elastic Elastic kibana
CPE		cpe:2.3:a:elastic:kibana::::::::
References	~~() https://discuss.elastic.co/t/kibana-8-19-9-9-1-9-and-9-2-3-security-update-esa-2025-35/384183 -~~	() https://discuss.elastic.co/t/kibana-8-19-9-9-1-9-and-9-2-3-security-update-esa-2025-35/384183 - Vendor Advisory

18 Dec 2025, 23:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-12-18 23:15

Updated : 2025-12-23 19:07

NVD link : CVE-2025-68387

Mitre link : CVE-2025-68387

CVE.ORG link : CVE-2025-68387

JSON object : View

Products Affected

elastic

kibana

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

6.1 /10