Filtered by vendor Elastic
Subscribe
Total
229 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2015-8131 | 1 Elastic | 1 Kibana | 2026-05-06 | 6.8 MEDIUM | N/A |
| Cross-site request forgery (CSRF) vulnerability in Elasticsearch Kibana before 4.1.3 and 4.2.x before 4.2.1 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. | |||||
| CVE-2014-4326 | 1 Elastic | 1 Logstash | 2026-05-06 | 7.5 HIGH | N/A |
| Elasticsearch Logstash 1.0.14 through 1.4.x before 1.4.2 allows remote attackers to execute arbitrary commands via a crafted event in (1) zabbix.rb or (2) nagios_nsca.rb in outputs/. | |||||
| CVE-2026-33467 | 1 Elastic | 1 Elastic Package Registry | 2026-05-05 | N/A | 5.9 MEDIUM |
| Improper Verification of Cryptographic Signature (CWE-347) in Elastic Package Registry could allow an attacker positioned to intercept network traffic, or to otherwise influence the contents served to a self-hosted registry, to substitute a tampered package without the integrity check failing closed. | |||||
| CVE-2026-33461 | 1 Elastic | 1 Kibana | 2026-04-22 | N/A | 7.7 HIGH |
| Incorrect Authorization (CWE-863) in Kibana can lead to information disclosure via Privilege Abuse (CAPEC-122). A user with limited Fleet privileges can exploit an internal API endpoint to retrieve sensitive configuration data, including private keys and authentication tokens, that should only be accessible to users with higher-level settings privileges. The endpoint composes its response by fetching full configuration objects and returning them directly, bypassing the authorization checks enforced by the dedicated settings APIs. | |||||
| CVE-2014-3120 | 1 Elastic | 1 Elasticsearch | 2026-04-22 | 6.8 MEDIUM | 8.1 HIGH |
| The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code via the source parameter to _search. NOTE: this only violates the vendor's intended security policy if the user does not run Elasticsearch in its own independent virtual machine. | |||||
| CVE-2015-1427 | 2 Elastic, Redhat | 2 Elasticsearch, Fuse | 2026-04-22 | 7.5 HIGH | 9.8 CRITICAL |
| The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands via a crafted script. | |||||
| CVE-2026-33466 | 1 Elastic | 1 Logstash | 2026-04-21 | N/A | 8.1 HIGH |
| Improper Limitation of a Pathname to a Restricted Directory (CWE-22) in Logstash can lead to arbitrary file write and potentially remote code execution via Relative Path Traversal (CAPEC-139). The archive extraction utilities used by Logstash do not properly validate file paths within compressed archives. An attacker who can serve a specially crafted archive to Logstash through a compromised or attacker-controlled update endpoint can write arbitrary files to the host filesystem with the privileges of the Logstash process. In certain configurations where automatic pipeline reloading is enabled, this can be escalated to remote code execution. | |||||
| CVE-2026-33460 | 1 Elastic | 1 Kibana | 2026-04-21 | N/A | 4.3 MEDIUM |
| Incorrect Authorization (CWE-863) in Kibana can lead to cross-space information disclosure via Privilege Abuse (CAPEC-122). A user with Fleet agent management privileges in one Kibana space can retrieve Fleet Server policy details from other spaces through an internal enrollment endpoint. The endpoint bypasses space-scoped access controls by using an unscoped internal client, returning operational identifiers, policy names, management state, and infrastructure linkage details from spaces the user is not authorized to access. | |||||
| CVE-2026-4498 | 1 Elastic | 1 Kibana | 2026-04-13 | N/A | 7.7 HIGH |
| Execution with Unnecessary Privileges (CWE-250) in Kibana’s Fleet plugin debug route handlers can lead reading index data beyond their direct Elasticsearch RBAC scope via Privilege Abuse (CAPEC-122). This requires an authenticated Kibana user with Fleet sub-feature privileges (such as agents, agent policies, and settings management). | |||||
| CVE-2026-33459 | 1 Elastic | 1 Kibana | 2026-04-13 | N/A | 6.5 MEDIUM |
| Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated user with access to the automatic import feature can submit specially crafted requests with excessively large input values. When multiple such requests are sent concurrently, the backend services become unstable, resulting in service disruption and deployment unavailability for all users. | |||||
| CVE-2026-33458 | 1 Elastic | 1 Kibana | 2026-04-13 | N/A | 6.3 MEDIUM |
| Server-Side Request Forgery (CWE-918) in Kibana One Workflow can lead to information disclosure. An authenticated user with workflow creation and execution privileges can bypass host allowlist restrictions in the Workflows Execution Engine, potentially exposing sensitive internal endpoints and data. | |||||
| CVE-2026-26939 | 1 Elastic | 1 Kibana | 2026-03-23 | N/A | 6.5 MEDIUM |
| Missing Authorization (CWE-862) in Kibana’s server-side Detection Rule Management can lead to Unauthorized Endpoint Response Action Configuration (host isolation, process termination, and process suspension) via CAPEC-1 (Accessing Functionality Not Properly Constrained by ACLs). This requires an authenticated attacker with rule management privileges. | |||||
| CVE-2026-26940 | 1 Elastic | 1 Kibana | 2026-03-23 | N/A | 6.5 MEDIUM |
| Improper Validation of Specified Quantity in Input (CWE-1284) in the Timelion visualization plugin in Kibana can lead Denial of Service via Excessive Allocation (CAPEC-130). The vulnerability allows an authenticated user to send a specially crafted Timelion expression that overwrites internal series data properties with an excessively large quantity value. | |||||
| CVE-2026-26936 | 1 Elastic | 1 Kibana | 2026-03-02 | N/A | 4.9 MEDIUM |
| Inefficient Regular Expression Complexity (CWE-1333) in the AI Inference Anonymization Engine in Kibana can lead Denial of Service via Regular Expression Exponential Blowup (CAPEC-492). | |||||
| CVE-2026-26934 | 1 Elastic | 1 Kibana | 2026-03-02 | N/A | 6.5 MEDIUM |
| Improper Validation of Specified Quantity in Input (CWE-1284) in Kibana can allow an authenticated attacker with view-only privileges to cause a Denial of Service via Input Data Manipulation (CAPEC-153). An attacker can send a specially crafted, malformed payload causing excessive resource consumption and resulting in Kibana becoming unresponsive or crashing. | |||||
| CVE-2026-26935 | 1 Elastic | 1 Kibana | 2026-03-02 | N/A | 6.5 MEDIUM |
| Improper Input Validation (CWE-20) in the internal Content Connectors search endpoint in Kibana can lead Denial of Service via Input Data Manipulation (CAPEC-153) | |||||
| CVE-2026-26937 | 1 Elastic | 1 Kibana | 2026-03-02 | N/A | 6.5 MEDIUM |
| Uncontrolled Resource Consumption (CWE-400) in the Timelion component in Kibana can lead Denial of Service via Input Data Manipulation (CAPEC-153) | |||||
| CVE-2026-26938 | 1 Elastic | 1 Kibana | 2026-03-02 | N/A | 8.6 HIGH |
| Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) exists in Workflows in Kibana which could allow an attacker to read arbitrary files from the Kibana server filesystem, and perform Server-Side Request Forgery (SSRF) via Code Injection (CAPEC-242). This requires an authenticated user who has the workflowsManagement:executeWorkflow privilege. | |||||
| CVE-2024-37282 | 1 Elastic | 1 Elastic Cloud Enterprise | 2026-01-30 | N/A | 8.1 HIGH |
| It was identified that under certain specific preconditions, an API key that was originally created with a specific privileges could be subsequently used to create new API keys that have elevated privileges. | |||||
| CVE-2026-0543 | 1 Elastic | 1 Kibana | 2026-01-22 | N/A | 6.5 MEDIUM |
| Improper Input Validation (CWE-20) in Kibana's Email Connector can allow an attacker to cause an Excessive Allocation (CAPEC-130) through a specially crafted email address parameter. This requires an attacker to have authenticated access with view-level privileges sufficient to execute connector actions. The application attempts to process specially crafted email format, resulting in complete service unavailability for all users until manual restart is performed. | |||||