Description
Improper Neutralization of Input During Web Page Generation (CWE-79) in Kibana can lead to stored HTML injection. A user with write access to an Elasticsearch index could persist crafted markup which, when subsequently rendered through an affected Kibana view by another user, was not sufficiently sanitized. Successful exploitation could result in unauthorized UI manipulation and outbound network requests issued from the viewing user's browser session.
Published: 2026-05-28
Score: 4.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of input during web page generation in Kibana allows a user with write rights to an Elasticsearch index to store malicious markup. The stored markup is rendered without sufficient sanitization when another user views a Kibana object, enabling injected HTML to manipulate the user interface and trigger network requests from the victim's browser. This vulnerability falls under CWE-79 and could be leveraged by attackers with write access to devise phishing or data exfiltration tactics.

Affected Systems

The flaw affects Elastic Kibana. No specific version numbers are listed in the CNA data, but the vendor reference indicates that updates such as 8.19.16 and 9.3.5 contain the fix. All installations of Kibana that expose writeable indices to users who could craft content are considered at risk.

Risk and Exploitability

The CVSS score of 4.1 signals a moderate severity, and the EPSS score is not available, suggesting no publicly known exploit prevalence. The vulnerability is not listed in the CISA KEV catalog. Likely exploitation requires an attacker to obtain write access to an index and persist malicious HTML, then wait for an unprivileged user to view the affected Kibana view. Inference about the exact attack vector is based on the description of write access to a database and subsequent rendering by another user.

Generated by OpenCVE AI on May 28, 2026 at 20:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Kibana to the latest security release (e.g., 8.19.16 or 9.3.5) to contain the fixed input neutralization logic.
  • Restrict write permissions on Elasticsearch indices to trusted users only, removing the ability to store arbitrary markup.
  • Enable or enforce server‑side sanitization or safe‑HTML rendering options to prevent stored HTML from executing in the client browser.

Generated by OpenCVE AI on May 28, 2026 at 20:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Elastic
Elastic kibana
Vendors & Products Elastic
Elastic kibana

Thu, 28 May 2026 19:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation (CWE-79) in Kibana can lead to stored HTML injection. A user with write access to an Elasticsearch index could persist crafted markup which, when subsequently rendered through an affected Kibana view by another user, was not sufficiently sanitized. Successful exploitation could result in unauthorized UI manipulation and outbound network requests issued from the viewing user's browser session.
Title Improper Neutralization of Input During Web Page Generation in Kibana Leading to Stored HTML Injection
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N'}

Subscriptions

Elastic Kibana
cve-icon MITRE

Status: PUBLISHED

Assigner: elastic

Published:

Updated: 2026-05-28T19:40:21.015Z

Reserved: 2026-04-27T10:14:34.318Z

Link: CVE-2026-42401

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-28T20:16:23.620

Modified: 2026-05-28T20:16:23.620

Link: CVE-2026-42401

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T20:30:25Z

Weaknesses