Kibana Timelion - Arbitrary Code Execution

🗓️ 16 Jun 2026 07:13:51Reported by ProjectDiscoveryType

Kibana Timelion - Arbitrary Code Execution in versions before 5.6.15 and 6.6.1 allows unauthorized access, data leakage, and system compromise via executing arbitrary JavaScript commands

Reporter	Title	Published	Views	Family All 60
0day.today	Kibana Timelion Prototype Pollution Remote Code Execution Exploit	11 Sep 202300:00	–	zdt
Gitee	Exploit for Deserialization of Untrusted Data in Redhat Jboss_Enterprise_Application_Platform	8 Dec 202020:38	–	gitee
Gitee	Exploit for Deserialization of Untrusted Data in Redhat Jboss_Enterprise_Application_Platform	6 May 202015:20	–	gitee
Gitee	Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Apple Safari	23 Jan 202218:42	–	gitee
GithubExploit	Exploit for Code Injection in Elastic Kibana	21 Oct 201907:32	–	githubexploit
GithubExploit	PoC_n_Dockerfile_4_PentestFinalProject_Group02	14 Apr 202614:38	–	githubexploit
GithubExploit	Exploit for Type Confusion in Adobe Acrobat_Dc	25 Oct 202511:16	–	githubexploit
GithubExploit	Exploit for Code Injection in Elastic Kibana	21 Oct 201915:31	–	githubexploit
GithubExploit	Exploit for Code Injection in Elastic Kibana	24 Aug 202104:38	–	githubexploit
Tenable Nessus	Kibana 5.x < 5.6.15 / 6.x < 6.6.1 Multiple Vulnerabilities	24 Oct 201900:00	–	nessus

Source	Link
github	www.github.com/mpgn/CVE-2019-7609
discuss	www.discuss.elastic.co/t/elastic-stack-6-6-1-and-5-6-15-security-update/169077
nvd	www.nvd.nist.gov/vuln/detail/CVE-2019-7609
elastic	www.elastic.co/community/security
access	www.access.redhat.com/errata/RHBA-2019:2824

id: CVE-2019-7609

info:
  name: Kibana Timelion - Arbitrary Code Execution
  author: dwisiswant0
  severity: critical
  description: Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.
  impact: |
    Arbitrary code execution can result in unauthorized access, data leakage, and system compromise.
  remediation: |
    Apply the latest security patches or upgrade to a patched version of Kibana to mitigate the vulnerability.
  reference:
    - https://github.com/mpgn/CVE-2019-7609
    - https://discuss.elastic.co/t/elastic-stack-6-6-1-and-5-6-15-security-update/169077
    - https://nvd.nist.gov/vuln/detail/CVE-2019-7609
    - https://www.elastic.co/community/security
    - https://access.redhat.com/errata/RHBA-2019:2824
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 10
    cve-id: CVE-2019-7609
    cwe-id: CWE-94
    epss-score: 0.95338
    epss-percentile: 0.99856
    cpe: cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: elastic
    product: kibana
    shodan-query: http.title:"kibana"
    fofa-query: title="kibana"
    google-query: intitle:"kibana"
  tags: cve,cve2019,kibana,rce,kev,elastic,vkev,vuln

http:
  - method: POST
    path:
      - "{{BaseURL}}/api/timelion/run"

    body: '{"sheet":[".es(*)"],"time":{"from":"now-1m","to":"now","mode":"quick","interval":"auto","timezone":"Asia/Shanghai"}}'

    headers:
      Content-Type: "application/json; charset=utf-8"

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "seriesList"

      - type: word
        part: header
        words:
          - "application/json"

      - type: status
        status:
          - 200
# digest: 4b0a00483046022100923ba37b45a10bb55fb0f97a9035caa1bf5c789c0608ebead1424e5f6a5c6527022100b67cfc76915583b06a42aeb5a7291638c48b14dee58952b816767b131619acea:922c64590222798bb761d5b6d8e72950

04 Feb 2026 07:00Current

8.9High risk

Vulners AI Score8.9

CVSS 3.19.8 - 10

CVSS 210

EPSS0.95338

SSVC