CVE-2025-68385 Kibana Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

🗓️ 18 Dec 2025 22:08:37Reported by elasticType

Authenticated Kibana user can bypass Vega XSS mitigation to embed a malicious script causing XSS.

Reporter	Title	Published	Views	Family All 19
Chainguard	CVE-2025-68385 vulnerabilities	28 Jan 202619:17	–	cgr
CNNVD	Elastic Kibana 安全漏洞	18 Dec 202500:00	–	cnnvd
CVE	CVE-2025-68385	18 Dec 202522:08	–	cve
Elastic	Kibana 8.19.9, 9.1.9, and 9.2.3 Security Update (ESA-2025-34)	18 Dec 202521:24	–	elastic
EUVD	EUVD-2025-204410	19 Dec 202500:31	–	euvd
NVD	CVE-2025-68385	18 Dec 202523:15	–	nvd
OSV	BIT-ELK-2025-68385 Kibana Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')	20 Dec 202511:36	–	osv
OSV	BIT-KIBANA-2025-68385 Kibana Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')	20 Dec 202511:39	–	osv
OSV	CGA-RW7H-RG2W-8PQJ	28 Jan 202617:32	–	osv
OSV	MINI-52PM-QF3C-W8H6	23 Feb 202620:02	–	osv

[
  {
    "defaultStatus": "unaffected",
    "product": "Kibana",
    "vendor": "Elastic",
    "versions": [
      {
        "lessThanOrEqual": "7.17.29",
        "status": "affected",
        "version": "7.0.0",
        "versionType": "semver"
      },
      {
        "lessThanOrEqual": "8.19.8",
        "status": "affected",
        "version": "8.0.0",
        "versionType": "semver"
      },
      {
        "lessThanOrEqual": "9.1.8",
        "status": "affected",
        "version": "9.0.0",
        "versionType": "semver"
      },
      {
        "lessThanOrEqual": "9.2.2",
        "status": "affected",
        "version": "9.2.0",
        "versionType": "semver"
      }
    ]
  }
]

Source	Link
discuss	www.discuss.elastic.co/t/kibana-8-19-9-9-1-9-and-9-2-3-security-update-esa-2025-34/384182

18 Dec 2025 22:08Current

CVSS 3.17.2

EPSS0.00025

CWE-79