pkg:Bitnami/elk

All known vulnerabilities

• CRITICAL9.9CVE-2025-25015Kibana arbitrary code execution via prototype pollution
  >= 8.15.0, < 8.17.3
• CRITICAL9.8CVE-2025-25014Kibana arbitrary code execution via prototype pollution
  >= 8.3.0, < 8.18.1, >= 9.0.0, < 9.0.1
• CRITICAL9.8CVE-2024-12556Kibana Prototype Pollution can lead to code injection
  >= 8.16.1, < 8.17.1
• HIGH8.8CVE-2024-43706Kibana Improper Authorization
  >= 8.12.0, < 8.12.1
• HIGH8.8CVE-2024-37288A deserialization issue in Kibana can lead to arbitrary code execution when Kibana attempts to parse a YAML document containing a crafted p…
  >= 8.15.0, < 8.15.1
• HIGH8.6CVE-2026-0532External Control of File Name or Path and Server-Side Request Forgery (SSRF) in Kibana Google Gemini Connector
  from 0, < 8.19.10, >= 9.0.0, < 9.1.10, >= 9.2.0, < 9.2.4
• HIGH7.7CVE-2026-42398Server-Side Request Forgery (SSRF) in Kibana Leading to Unauthorized Network Access
  >= 9.0.0, < 9.2.8, >= 9.3.0, < 9.3.2
• HIGH7.7CVE-2026-4498Execution with Unnecessary Privileges in Kibana Leading to reading index data beyond their direct Elasticsearch RBAC scope
  >= 8.0.0, < 8.19.14, >= 9.0.0, < 9.2.8, >= 9.3.0, < 9.3.3
• HIGH7.7CVE-2026-33458Server-Side Request Forgery (SSRF) in Kibana One Workflow Leading to Information Disclosure
  >= 9.3.0, < 9.3.3
• HIGH7.7CVE-2026-26938Improper Neutralization of Special Elements Used in a Template Engine in Kibana Workflows Leading to Server-Side Request Forgery (SSRF)
  >= 9.3.0, < 9.3.1
• HIGH7.5CVE-2026-26937Uncontrolled Resource Consumption in Kibana Leading to Denial of Service
  >= 8.0.0, < 8.19.11, >= 9.0.0, < 9.2.5
• HIGH7.5CVE-2026-26936Inefficient Regular Expression Complexity in Kibana Leading to Denial of Service
  >= 8.0.0, < 8.19.11, >= 9.0.0, < 9.2.5
• HIGH7.5CVE-2026-26935Improper Input Validation in Kibana Leading to Denial of Service
  >= 8.4.0, < 8.19.12, >= 9.0.0, < 9.2.6, >= 9.3.0, < 9.3.1
• HIGH7.3CVE-2026-33462Path Traversal in Kibana Leading to Unauthorized Deletion of User Accounts
  >= 8.0.0, < 8.19.16, >= 9.0.0, < 9.3.5
• HIGH7.2CVE-2024-37285Kibana arbitrary code execution via YAML deserialization
  >= 8.10.0, < 8.15.1
• MEDIUM6.7CVE-2020-7017In Kibana versions before 6.8.11 and 7.8.1 the region map visualization in contains a stored XSS flaw.
  from 0, < 6.8.11, >= 7.0.0, < 7.8.1
• MEDIUM6.5CVE-2026-49095Improper Input Validation in Kibana Fleet Leading to Privilege Escalation
  >= 8.0.0, < 8.19.16, >= 9.0.0, < 9.3.5, >= 9.4.0, < 9.4.2
• MEDIUM6.5CVE-2026-49094Uncontrolled Resource Consumption in Kibana Leading to Denial of Service
  >= 8.0.0, < 8.19.16
• MEDIUM6.5CVE-2026-42400Uncontrolled Resource Consumption in Kibana Leading to Denial of Service
  >= 8.0.0, < 8.19.16, >= 9.0.0, < 9.3.5, >= 9.4.0, < 9.4.2
• MEDIUM6.5CVE-2026-42399Uncontrolled Resource Consumption in Kibana Leading to Denial of Service
  >= 8.0.0, < 8.19.16, >= 9.0.0, < 9.3.5
• MEDIUM6.5CVE-2026-33464Uncontrolled Resource Consumption in Kibana Leading to Denial of Service
  from 0, < 9.4.2
• MEDIUM6.5CVE-2026-33461Incorrect Authorization in Kibana Fleet Leading to Information Disclosure
  >= 8.0.0, < 8.19.14, >= 9.0.0, < 9.2.8, >= 9.3.0, < 9.3.3
• MEDIUM6.5CVE-2026-33459Uncontrolled Resource Consumption in Kibana Leading to Denial of Service
  >= 8.0.0, < 8.19.14, >= 9.0.0, < 9.2.8, >= 9.3.0, < 9.3.3
• MEDIUM6.5CVE-2026-26934Improper Validation of Specified Quantity in Input in Kibana Leading to Denial of Service
  >= 8.18.0, < 8.19.12, >= 9.0.0, < 9.2.6, >= 9.3.0, < 9.3.1
• MEDIUM6.5CVE-2026-0543Improper Input Validation in Kibana Email Connector Leading to Excessive Allocation
  from 0, < 8.19.10, >= 9.0.0, < 9.1.10, >= 9.2.0, < 9.2.4
• MEDIUM6.5CVE-2026-0531Allocation of Resources Without Limits or Throttling in Kibana Fleet
  from 0, < 8.19.10, >= 9.0.0, < 9.1.10, >= 9.2.0, < 9.2.4
• MEDIUM6.5CVE-2026-0530Allocation of Resources Without Limits or Throttling in Kibana Leading to Excessive Allocation
  from 0, < 8.19.10, >= 9.0.0, < 9.1.10, >= 9.2.0, < 9.2.4
• MEDIUM6.5CVE-2025-68389Kibana Allocation of Resources Without Limits or Throttling
  from 0, < 8.19.9, >= 9.0.0, < 9.1.9, >= 9.2.0, < 9.2.3
• MEDIUM6.5CVE-2025-25010Kibana privilege escalation via reporting_user role
  >= 9.0.0, < 9.0.6, >= 9.1.0, < 9.1.3
• MEDIUM6.5CVE-2024-52974An issue has been identified where a specially crafted request sent to an Observability API could cause the kibana server to crash.
  >= 7.17.0, < 7.17.23, >= 8.0.0, < 8.15.1
• MEDIUM6.5CVE-2024-43707Kibana exposure of sensitive information to an unauthorized actor
  >= 8.0.0, < 8.15.0
• MEDIUM6.5CVE-2024-43708An allocation of resources without limits or throttling in Kibana can lead to a crash caused by a specially crafted payload to a number of…
  >= 7.0.0, < 7.17.23, >= 8.0.0, < 8.15.0
• MEDIUM6.5CVE-2024-52972Kibana allocation of resources without limits or throttling leads to crash
  >= 7.0.0, < 7.17.23, >= 8.0.0, < 8.15.0
• MEDIUM6.5CVE-2024-37281Kibana Denial of Service issue
  >= 7.0.0, < 7.17.23, >= 8.0.0, < 8.14.0
• MEDIUM6.3CVE-2026-49093Server-Side Request Forgery (SSRF) in Kibana Leading to Unauthorized Network Access
  >= 9.3.0, < 9.3.3
• MEDIUM6.1CVE-2025-68387Kibana Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  from 0, < 8.19.9, >= 9.0.0, < 9.1.9, >= 9.2.0, < 9.2.3
• MEDIUM6.1CVE-2025-68385Kibana Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  from 0, < 8.19.9, >= 9.0.0, < 9.1.9, >= 9.2.0, < 9.2.3
• MEDIUM6.1CVE-2025-25017Kibana Stored Cross-Site Scripting (XSS)
  from 0, < 8.18.8, >= 8.19.0, < 8.19.4, >= 9.0.0, < 9.0.7, >= 9.1.0, < 9.1.4
• MEDIUM6.1CVE-2024-23442Kibana open redirect issue
  from 0, < 7.17.22, >= 8.11.1, < 8.14.0
• MEDIUM5.4CVE-2026-42401Improper Neutralization of Input During Web Page Generation in Kibana Leading to Stored HTML Injection
  >= 8.0.0, < 8.19.16, >= 9.0.0, < 9.4.0
• MEDIUM5.4CVE-2025-37732Kibana Cross-site Scripting via the Integration Package Upload Functionality
  from 0, < 8.19.8, >= 9.0.0, < 9.1.8, >= 9.2.0, < 9.2.2
• MEDIUM5.4CVE-2025-25018Kibana Stored Cross-Site Scripting (XSS)
  from 0, < 8.18.8, >= 8.19.0, < 8.19.5, >= 9.0.0, < 9.0.8, >= 9.1.0, < 9.1.5
• MEDIUM5.4CVE-2025-37728Kibana Insufficiently Protected Credentials in the CrowdStrike Connector
  from 0, < 8.18.8, >= 8.19.0, < 8.19.5, >= 9.0.0, < 9.0.8, >= 9.1.0, < 9.1.5
• MEDIUM5.4CVE-2025-25009Kibana Cross-Site Scripting (XSS)
  from 0, < 8.18.8, >= 8.19.0, < 8.19.5, >= 9.0.0, < 9.0.8, >= 9.1.0, < 9.1.5
• MEDIUM5.4CVE-2025-25012Kibana Open Redirect
  >= 7.0.0, < 7.17.29, >= 8.0.0, < 8.18.3, >= 9.0.0, < 9.0.3
• MEDIUM5.4CVE-2024-11390Kibana Unrestricted Upload of File with Dangerous Type Can Lead to XSS
  >= 7.17.6, < 7.17.23, >= 8.4.0, < 8.12.0
• MEDIUM5.3CVE-2026-33463Operation on a Resource after Expiration or Termination in Kibana Leading to Unauthorized File Access
  >= 8.0.0, < 8.19.16, >= 9.0.0, < 9.3.5
• MEDIUM4.9CVE-2024-23443A high-privileged user, allowed to create custom osquery packs 17 could affect the availability of Kibana by uploading a maliciously crafte…
  from 0, < 8.14.0
• MEDIUM4.8CVE-2020-7016Kibana versions before 6.8.11 and 7.8.1 contain a denial of service (DoS) flaw in Timelion.
  from 0, < 6.8.11, >= 7.0.0, < 7.8.1
• MEDIUM4.3CVE-2026-33460Incorrect Authorization in Kibana Fleet Leading to Information Disclosure
  >= 8.0.0, < 8.19.14, >= 9.0.0, < 9.2.8, >= 9.3.0, < 9.3.3
• MEDIUM4.3CVE-2025-68422Kibana Improper Authorization
  from 0, < 8.19.7, >= 9.0.0, < 9.1.7, >= 9.2.0, < 9.2.1
• MEDIUM4.3CVE-2025-68386Kibana Improper Authorization
  from 0, < 8.19.8, >= 9.0.0, < 9.1.8, >= 9.2.0, < 9.2.2
• MEDIUM4.3CVE-2025-37734Kibana Origin Validation Error
  >= 8.12.0, < 8.19.7, >= 9.1.0, < 9.1.7, >= 9.2.0, < 9.2.1
• MEDIUM4.3CVE-2025-25016Kibana Unrestricted Upload of File
  >= 7.17.0, < 7.17.18, >= 8.0.0, < 8.13.0
• MEDIUM4.3CVE-2024-43710Kibana server-side request forgery
  >= 8.7.0, < 8.15.0
• MEDIUM4.3CVE-2024-37279Kibana Broken Access Control issue
  >= 8.6.3, < 8.14.0