CVE-2025-68387 Kibana Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

🗓️ 18 Dec 2025 22:11:39Reported by elasticType

CVE-2025-68387 Kibana allows unauthenticated XSS via improper input neutralization in Vega AST evaluator.

Reporter	Title	Published	Views	Family All 19
Chainguard	CVE-2025-68387 vulnerabilities	28 Jan 202619:17	–	cgr
CNNVD	Elastic Kibana 安全漏洞	18 Dec 202500:00	–	cnnvd
CVE	CVE-2025-68387	18 Dec 202522:11	–	cve
Elastic	Kibana 8.19.9, 9.1.9, and 9.2.3 Security Update (ESA-2025-35)	18 Dec 202521:25	–	elastic
EUVD	EUVD-2025-204409	19 Dec 202500:31	–	euvd
NVD	CVE-2025-68387	18 Dec 202523:15	–	nvd
OSV	BIT-ELK-2025-68387 Kibana Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')	20 Dec 202511:36	–	osv
OSV	BIT-KIBANA-2025-68387 Kibana Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')	20 Dec 202511:39	–	osv
OSV	CGA-3W76-R577-GV3F	28 Jan 202617:31	–	osv
OSV	MINI-3H8F-PMHR-83M7	4 Mar 202605:21	–	osv

[
  {
    "defaultStatus": "unaffected",
    "product": "Kibana",
    "vendor": "Elastic",
    "versions": [
      {
        "lessThanOrEqual": "7.17.29",
        "status": "affected",
        "version": "7.0.0",
        "versionType": "semver"
      },
      {
        "lessThanOrEqual": "8.19.8",
        "status": "affected",
        "version": "8.0.0",
        "versionType": "semver"
      },
      {
        "lessThanOrEqual": "9.1.8",
        "status": "affected",
        "version": "9.0.0",
        "versionType": "semver"
      },
      {
        "lessThanOrEqual": "9.2.2",
        "status": "affected",
        "version": "9.2.0",
        "versionType": "semver"
      }
    ]
  }
]

Source	Link
discuss	www.discuss.elastic.co/t/kibana-8-19-9-9-1-9-and-9-2-3-security-update-esa-2025-35/384183

18 Dec 2025 22:11Current

CVSS 3.16.1

EPSS0.00172

CWE-79