BIT-ELK-2026-33460 Incorrect Authorization in Kibana Fleet Leading to Information Disclosure

Incorrect Authorization CWE-863 in Kibana can lead to cross-space information disclosure via Privilege Abuse CAPEC-122. A user with Fleet agent management privileges in one Kibana space can retrieve Fleet Server policy details from other spaces through an internal enrollment endpoint. The endpoin...

PT-2026-32431

Incorrect Authorization CWE-863 in Kibana can lead to cross-space information disclosure via Privilege Abuse CAPEC-122. A user with Fleet agent management privileges in one Kibana space can retrieve Fleet Server policy details from other spaces through an internal enrollment endpoint. The endpoin...

Incorrect Authorization

Overview kibana is an open source Apache Licensed, browser-based analytics and search dashboard for Elasticsearch. Affected versions of this package are vulnerable to Incorrect Authorization via the enrollment endpoint. An attacker can access Fleet Server policy details from unauthorized spaces b...

Kibana 8.19.14, 9.2.8, 9.3.3 Security Update (ESA-2026-25)

Incorrect Authorization in Kibana Fleet Leading to Information Disclosure Incorrect Authorization CWE-863 in Kibana can lead to cross-space information disclosure via Privilege Abuse CAPEC-122. A user with Fleet agent management privileges in one Kibana space can retrieve Fleet Server policy...

PT-2026-31333

Name of the Vulnerable Software and Affected Versions Kibana affected versions not specified Description An incorrect authorization issue in Kibana can lead to cross-space information disclosure through privilege abuse. A user with Fleet agent management privileges in one Kibana space can retriev...

CVE-2026-2172

The CVE concerns code-projects Online Application System for Admission 1.0. The vulnerability is in the enrollment/index.php file of the Login Endpoint and is exploitable by manipulating input to cause SQL injection. It can be triggered remotely and the exploit has been publicly disclosed. Multip...

CVE-2025-10388 Selleo Mentingo Create New Course Basic Settings enroll-course cross site scripting

A vulnerability was identified in Selleo Mentingo 2025.08.27. This issue affects some unknown processing of the file /api/course/enroll-course of the component Create New Course Basic Settings. Such manipulation of the argument Description leads to cross site scripting. The attack can be launched...