E

Elastic Security Vulnerabilities (CVE)

Explore vulnerabilities and security advisories affecting Elastic products.

8 known CVE vulnerabilities tracked

Critical
0
High
1
Medium
7
Low
0
None
0

Vulnerabilities By Year

8
2025

Products Affected

Kibana 5 Elasticsearch 2 Filebeat 1

All Elastic CVEs

Recent Highest Score Oldest
CVE-2025-68422
4.3 medium

Improper Authorization (CWE-285) in Kibana can lead to privilege escalation (CAPEC-233) by allowing an authenticated user to bypass intended permission restrictions via a crafted HTTP request. This allows an attacker who lacks the live queries - read permission to successfully retrieve the list of l

Kibana Dec 18, 2025
CVE-2025-68390
4.9 medium

Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can allow an authenticated user with snapshot restore privileges to cause Excessive Allocation (CAPEC-130) of memory and a denial of service (DoS) via crafted HTTP request.

Elasticsearch Dec 18, 2025
CVE-2025-68389
6.5 medium

Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana can allow a low-privileged authenticated user to cause Excessive Allocation (CAPEC-130) of computing resources and a denial of service (DoS) of the Kibana process via a crafted HTTP request.

Kibana Dec 18, 2025
CVE-2025-68387
6.1 medium

Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an unauthenticated user to embed a malicious script in content that will be served to web browsers causing cross-site scripting (XSS) (CAPEC-63) via a vulnerability a function handler in the Vega AST

Kibana Dec 18, 2025
CVE-2025-68386
4.3 medium

Improper Authorization (CWE-285) in Kibana can lead to privilege escalation (CAPEC-233) by allowing an authenticated user to change a document's sharing type to "global," even though they do not have permission to do so, making it visible to everyone in the space via a crafted a HTTP request.

Kibana Dec 18, 2025
CVE-2025-68385
7.2 high

Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an authenticated user to embed a malicious script in content that will be served to web browsers causing cross-site scripting (XSS) (CAPEC-63) via a method in Vega bypassing a previous Vega XSS mitig

Kibana Dec 18, 2025
CVE-2025-68384
6.5 medium

Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can allow a low-privileged authenticated user to cause Excessive Allocation (CAPEC-130) causing a persistent denial of service (OOM crash) via submission of oversized user settings data.

Elasticsearch Dec 18, 2025
CVE-2025-68383
6.5 medium

Improper Validation of Specified Index, Position, or Offset in Input (CWE-1285) in Filebeat Syslog parser and the Libbeat Dissect processor can allow a user to trigger a Buffer Overflow (CAPEC-100) and cause a denial of service (panic/crash) of the Filebeat process via either a malformed Syslog mess

Filebeat Dec 18, 2025