CVE-2026-33460

Incorrect Authorization CWE-863 in Kibana can lead to cross-space information disclosure via Privilege Abuse CAPEC-122. A user with Fleet agent management privileges in one Kibana space can retrieve Fleet Server policy details from other spaces through an internal enrollment endpoint. The endpoin...

Kibana 8.19.10, 9.1.10, 9.2.4 Security Update (ESA-2026-05)

External Control of File Name or Path and Server-Side Request Forgery SSRF in Kibana Google Gemini Connector ESA-2026-05 External Control of File Name or Path CWE-73 combined with Server-Side Request Forgery CWE-918 can allow an attacker to cause arbitrary file disclosure through a specially...

EUVD-2018-15607

Malware in sbrugna...

EUVD-2019-17148

Malware in sbrugna...

EUVD-2017-3100

Malware in sbrugna...

EUVD-2017-17394

Malware in sbrugna...

EUVD-2020-28154

Malware in sbrugna...

EUVD-2025-6024

Malicious code in bioql PyPI...

EUVD-2024-36559

Malicious code in bioql PyPI...

EUVD-2021-9288

Malicious code in bioql PyPI...

EUVD-2023-35725

Malicious code in bioql PyPI...

EUVD-2025-13046

Malicious code in bioql PyPI...

EUVD-2024-36560

Malicious code in bioql PyPI...

EUVD-2021-9298

Malicious code in bioql PyPI...

CVE-2023-31414

Kibana versions 8.0.0 through 8.7.0 contain an arbitrary code execution flaw. An attacker with write access to Kibana yaml or env configuration could add a specific payload that will attempt to execute JavaScript code. This could lead to the attacker executing arbitrary commands on the host syste...

Kibana 7.17.6 < 7.17.24 / 8.4.x < 8.12.0 XSS (ESA-2024-20)

Unrestricted upload of a file with dangerous type in Kibana can lead to arbitrary JavaScript execution in a victim's browser XSS via crafted HTML and JavaScript files. The attacker must have access to the Synthetics app AND/OR have access to write to the synthetics indices. Note that Nessus has n...

BIT-KIBANA-2025-25014 Kibana arbitrary code execution via prototype pollution

A Prototype pollution vulnerability in Kibana leads to arbitrary code execution via crafted HTTP requests to machine learning and reporting endpoints...

Kibana 8.17.6, 8.18.1, or 9.0.1 Security Update (ESA-2025-07)

Kibana arbitrary code execution via prototype pollution ESA-2025-07 A Prototype pollution vulnerability in Kibana leads to arbitrary code execution via crafted HTTP requests to machine learning and reporting endpoints. Affected Versions: 8.3.0 to 8.17.5, and 8.18.0, and 9.0.0 Affected...

CVE-2024-11390

Unrestricted upload of a file with dangerous type in Kibana can lead to arbitrary JavaScript execution in a victim’s browser XSS via crafted HTML and JavaScript files. The attacker must have access to the Synthetics app AND/OR have access to write to the synthetics indices...

CVE-2025-25016

Unrestricted file upload in Kibana allows an authenticated attacker to compromise software integrity by uploading a crafted malicious file due to insufficient server-side validation...