CVE-2025-25009 PUBLISHED

Kibana Cross-Site Scripting (XSS)

Assigner: elastic
Reserved: 31.01.2025 Published: 07.10.2025 Updated: 07.10.2025

Improper Neutralization of Input During Web Page Generation in Kibana can lead to Stored XSS via case file upload.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
CVSS Score: 8.7

Product Status

Vendor Elastic
Product Kibana
Versions Default: unaffected
  • affected from 7.0.0 to 7.17.29 (incl.)
  • affected from 8.14.0 to 8.18.7 (incl.)
  • affected from 8.19.0 to 8.19.4 (incl.)
  • affected from 9.0.0 to 9.0.7 (incl.)
  • affected from 9.1.0 to 9.1.4 (incl.)

References

Problem Types

  • CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') CWE

Impacts

  • CAPEC-592 Stored XSS