cvelistv5 - cve-2026-42401

CVE-2026-42401 (GCVE-0-2026-42401)

Vulnerability from cvelistv5

Published

2026-05-28 19:40

Modified

2026-05-29 16:47

Severity ?

4.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')

Summary

Improper Neutralization of Input During Web Page Generation (CWE-79) in Kibana can lead to stored HTML injection. A user with write access to an Elasticsearch index could persist crafted markup which, when subsequently rendered through an affected Kibana view by another user, was not sufficiently sanitized. Successful exploitation could result in unauthorized UI manipulation and outbound network requests issued from the viewing user's browser session.

References

URL

Tags

https://discuss.elastic.co/t/kibana-8-19-16-9-3-5-security-update-esa-2026-34/386552

Impacted products

	Vendor	Product	Version
	Elastic	Kibana	Version: 9.0.0 ≤ 9.3.4 Version: 8.0.0 ≤ 8.19.15

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-42401",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-29T16:27:57.417044Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-29T16:47:35.539Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Kibana",
          "vendor": "Elastic",
          "versions": [
            {
              "lessThanOrEqual": "9.3.4",
              "status": "affected",
              "version": "9.0.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "8.19.15",
              "status": "affected",
              "version": "8.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eImproper Neutralization of Input During Web Page Generation (CWE-79) in Kibana can lead to stored HTML injection. A user with write access to an Elasticsearch index could persist crafted markup which, when subsequently rendered through an affected Kibana view by another user, was not sufficiently sanitized. Successful exploitation could result in unauthorized UI manipulation and outbound network requests issued from the viewing user\u0027s browser session.\u003c/p\u003e"
            }
          ],
          "value": "Improper Neutralization of Input During Web Page Generation (CWE-79) in Kibana can lead to stored HTML injection. A user with write access to an Elasticsearch index could persist crafted markup which, when subsequently rendered through an affected Kibana view by another user, was not sufficiently sanitized. Successful exploitation could result in unauthorized UI manipulation and outbound network requests issued from the viewing user\u0027s browser session."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-137",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-137 Parameter Injection"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-28T19:40:21.015Z",
        "orgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a",
        "shortName": "elastic"
      },
      "references": [
        {
          "url": "https://discuss.elastic.co/t/kibana-8-19-16-9-3-5-security-update-esa-2026-34/386552"
        }
      ],
      "source": {
        "discovery": "Elastic"
      },
      "title": "Improper Neutralization of Input During Web Page Generation in Kibana Leading to Stored HTML Injection",
      "x_generator": {
        "engine": "Elastic CVE Publisher 0.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a",
    "assignerShortName": "elastic",
    "cveId": "CVE-2026-42401",
    "datePublished": "2026-05-28T19:40:21.015Z",
    "dateReserved": "2026-04-27T10:14:34.318Z",
    "dateUpdated": "2026-05-29T16:47:35.539Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-42401\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-29T16:27:57.417044Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-29T16:28:02.797Z\"}}], \"cna\": {\"title\": \"Improper Neutralization of Input During Web Page Generation in Kibana Leading to Stored HTML Injection\", \"source\": {\"discovery\": \"Elastic\"}, \"impacts\": [{\"capecId\": \"CAPEC-137\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-137 Parameter Injection\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 4.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"NONE\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Elastic\", \"product\": \"Kibana\", \"versions\": [{\"status\": \"affected\", \"version\": \"9.0.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"9.3.4\"}, {\"status\": \"affected\", \"version\": \"8.0.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"8.19.15\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://discuss.elastic.co/t/kibana-8-19-16-9-3-5-security-update-esa-2026-34/386552\"}], \"x_generator\": {\"engine\": \"Elastic CVE Publisher 0.0.1\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Improper Neutralization of Input During Web Page Generation (CWE-79) in Kibana can lead to stored HTML injection. A user with write access to an Elasticsearch index could persist crafted markup which, when subsequently rendered through an affected Kibana view by another user, was not sufficiently sanitized. Successful exploitation could result in unauthorized UI manipulation and outbound network requests issued from the viewing user\u0027s browser session.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eImproper Neutralization of Input During Web Page Generation (CWE-79) in Kibana can lead to stored HTML injection. A user with write access to an Elasticsearch index could persist crafted markup which, when subsequently rendered through an affected Kibana view by another user, was not sufficiently sanitized. Successful exploitation could result in unauthorized UI manipulation and outbound network requests issued from the viewing user\u0027s browser session.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"271b6943-45a9-4f3a-ab4e-976f3fa05b5a\", \"shortName\": \"elastic\", \"dateUpdated\": \"2026-05-28T19:40:21.015Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-42401\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-29T16:47:35.539Z\", \"dateReserved\": \"2026-04-27T10:14:34.318Z\", \"assignerOrgId\": \"271b6943-45a9-4f3a-ab4e-976f3fa05b5a\", \"datePublished\": \"2026-05-28T19:40:21.015Z\", \"assignerShortName\": \"elastic\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

CERTFR-2026-AVI-0661

Vulnerability from certfr_avis

De multiples vulnérabilités ont été découvertes dans Elastic Kibana. Certaines d'entre elles permettent à un attaquant de provoquer une élévation de privilèges, un déni de service à distance et une atteinte à la confidentialité des données.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

Vendor	Product	Description
Elastic	Kibana	Kibana versions 8.x antérieures à 8.19.16
Elastic	Kibana	Kibana versions 9.x antérieures à 9.3.5
Elastic	Kibana	Kibana versions 9.4.x antérieures à 9.4.2

References

Title

Publication Time

Tags

Bulletin de sécurité Elastic 386552	2026-05-28	vendor-advisory
Bulletin de sécurité Elastic 386556	2026-05-28	vendor-advisory
Bulletin de sécurité Elastic 386554	2026-05-28	vendor-advisory
Bulletin de sécurité Elastic 386551	2026-05-28	vendor-advisory
Bulletin de sécurité Elastic 386545	2026-05-28	vendor-advisory
Bulletin de sécurité Elastic 386561	2026-05-28	vendor-advisory
Bulletin de sécurité Elastic 386559	2026-05-28	vendor-advisory
Bulletin de sécurité Elastic 386548	2026-05-28	vendor-advisory
Bulletin de sécurité Elastic 386562	2026-05-28	vendor-advisory
Bulletin de sécurité Elastic 386557	2026-05-28	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Kibana versions 8.x ant\u00e9rieures \u00e0 8.19.16",
      "product": {
        "name": "Kibana",
        "vendor": {
          "name": "Elastic",
          "scada": false
        }
      }
    },
    {
      "description": "Kibana versions 9.x ant\u00e9rieures \u00e0 9.3.5",
      "product": {
        "name": "Kibana",
        "vendor": {
          "name": "Elastic",
          "scada": false
        }
      }
    },
    {
      "description": "Kibana versions 9.4.x ant\u00e9rieures \u00e0 9.4.2",
      "product": {
        "name": "Kibana",
        "vendor": {
          "name": "Elastic",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "",
  "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
  "cves": [
    {
      "name": "CVE-2026-49095",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-49095"
    },
    {
      "name": "CVE-2026-33462",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-33462"
    },
    {
      "name": "CVE-2026-42399",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-42399"
    },
    {
      "name": "CVE-2026-42398",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-42398"
    },
    {
      "name": "CVE-2026-49094",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-49094"
    },
    {
      "name": "CVE-2026-33463",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-33463"
    },
    {
      "name": "CVE-2026-33464",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-33464"
    },
    {
      "name": "CVE-2026-42400",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-42400"
    },
    {
      "name": "CVE-2026-42401",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-42401"
    },
    {
      "name": "CVE-2026-49093",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-49093"
    }
  ],
  "initial_release_date": "2026-05-29T00:00:00",
  "last_revision_date": "2026-05-29T00:00:00",
  "links": [],
  "reference": "CERTFR-2026-AVI-0661",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2026-05-29T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    },
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Falsification de requ\u00eates c\u00f4t\u00e9 serveur (SSRF)"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Elastic Kibana. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une \u00e9l\u00e9vation de privil\u00e8ges, un d\u00e9ni de service \u00e0 distance et une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans Elastic Kibana",
  "vendor_advisories": [
    {
      "published_at": "2026-05-28",
      "title": "Bulletin de s\u00e9curit\u00e9 Elastic 386552",
      "url": "https://discuss.elastic.co/t/kibana-8-19-16-9-3-5-security-update-esa-2026-34/386552"
    },
    {
      "published_at": "2026-05-28",
      "title": "Bulletin de s\u00e9curit\u00e9 Elastic 386556",
      "url": "https://discuss.elastic.co/t/kibana-8-19-16-and-9-3-5-security-update-esa-2026-36/386556"
    },
    {
      "published_at": "2026-05-28",
      "title": "Bulletin de s\u00e9curit\u00e9 Elastic 386554",
      "url": "https://discuss.elastic.co/t/kibana-8-19-16-9-3-5-9-4-2-security-update-esa-2026-35/386554"
    },
    {
      "published_at": "2026-05-28",
      "title": "Bulletin de s\u00e9curit\u00e9 Elastic 386551",
      "url": "https://discuss.elastic.co/t/8-19-16-9-3-5-security-update-esa-2026-33/386551"
    },
    {
      "published_at": "2026-05-28",
      "title": "Bulletin de s\u00e9curit\u00e9 Elastic 386545",
      "url": "https://discuss.elastic.co/t/kibana-8-19-16-and-9-3-5-security-update-esa-2026-30/386545"
    },
    {
      "published_at": "2026-05-28",
      "title": "Bulletin de s\u00e9curit\u00e9 Elastic 386561",
      "url": "https://discuss.elastic.co/t/kibana-8-19-16-security-update-esa-2026-39/386561"
    },
    {
      "published_at": "2026-05-28",
      "title": "Bulletin de s\u00e9curit\u00e9 Elastic 386559",
      "url": "https://discuss.elastic.co/t/kibana-fleet-8-19-16-9-3-5-and-9-4-2-security-update-esa-2026-38/386559"
    },
    {
      "published_at": "2026-05-28",
      "title": "Bulletin de s\u00e9curit\u00e9 Elastic 386548",
      "url": "https://discuss.elastic.co/t/kibana-8-19-16-9-3-5-9-4-1-security-update-esa-2026-32/386548"
    },
    {
      "published_at": "2026-05-28",
      "title": "Bulletin de s\u00e9curit\u00e9 Elastic 386562",
      "url": "https://discuss.elastic.co/t/kibana-9-3-3-security-update-esa-2026-40/386562"
    },
    {
      "published_at": "2026-05-28",
      "title": "Bulletin de s\u00e9curit\u00e9 Elastic 386557",
      "url": "https://discuss.elastic.co/t/kibana-9-2-8-and-9-3-2-security-update-esa-2026-37/386557"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2026-42401 (GCVE-0-2026-42401)

Vulnerability from cvelistv5

CERTFR-2026-AVI-0661

Vulnerability from certfr_avis

Solutions

Tags

Sightings

Nomenclature