Kibana 8.19.7, 9.1.7, 9.2.1 Security Update (ESA-2025-25)

Kibana Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' ESA-2025-25 Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' in Kibana can lead to DOM-based XSS due to the use of Vega. The issue on Vega is tracked as CVE-2025-59840...

Cross-site Scripting (XSS)

Overview kibana is an open source Apache Licensed, browser-based analytics and search dashboard for Elasticsearch. Affected versions of this package are vulnerable to Cross-site Scripting XSS via improper input neutralization in the web page generation in Vega visualizations. An attacker can...

Kibana 7.0.x <= 7.17.29 / 8.0.x <= 8.18.7 / 8.19.x <= 8.19.3 / 9.0.x <= 9.0.6 / 9.1.x <= 9.1.3 XSS (ESA-2025-16)

The version of Kibana running on the remote host is prior to 7.0 prior to 7.17.29, 8.0 prior to 8.18.7, 8.19 prior to 8.19.3, 9.0 prior to 9.0.6 and 9.1 prior to 9.1.6. It is, therefore, affected by a cross-site scripting vulnerability as referenced in the ESA-2025-16 advisory. - Improper...

Kibana 8.18.8, 8.19.4, 9.0.7, 9.1.4 Security Update (ESA-2025-16)

Kibana Cross-Site-Scripting XSS ESA-2025-16 Improper Neutralization of Input During Web Page Generation in Vega visualizations in Kibana can lead to Cross-Site-Scripting XSS Affected Versions: 7.x: All versions from 7.0.0 and up to and including 7.17.29 8.x: All versions from 8.0.0 and up to and...

CVE-2020-26296

A flaw was found in nodejs-vega. An attacker, using a specially crafted Vega expression, could execute a cross-side scripting attack on a victim's machine allowing them to execute arbitrary JavaScript. The highest threat from this vulnerability is to data confidentiality and integrity. Mitigation...