These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2026-49095 is a medium-severity (CVSS 6.5) improper input validation vulnerability (CWE-20) in Kibana's Fleet agent policy management feature, published 2026-05-28. An authenticated attacker with Fleet management privileges can inject malicious values into configuration overrides, causing Elastic Agents to receive API keys with elevated Elasticsearch privileges. This grants unauthorized read/write acc [truncated]
A denial-of-service vulnerability in Kibana allows authenticated users with viewer-level permissions to trigger excessive CPU and memory consumption by submitting oversized input values to an analytics collections management endpoint. The vulnerability stems from uncontrolled resource consumption (CWE-400) during request processing, causing Kibana to become unavailable to all users until manual service re [truncated]
A Server-Side Request Forgery (SSRF) vulnerability in Kibana allows authenticated users with connector management privileges to bypass operator-configured connector allowlists. The flaw enables outbound requests from the Kibana server to destinations that egress controls were designed to block. This vulnerability is rated MEDIUM severity with a CVSS score of 6.3. The issue was disclosed on May 28, 2026, w [truncated]
A medium-severity uncontrolled resource consumption vulnerability in Kibana allows authenticated remote attackers to cause denial of service through excessive memory and CPU consumption. The vulnerability stems from processing of specially crafted compressed request payloads that occurs prior to authorization checks, enabling resource exhaustion attacks that can render Kibana instances unresponsive or cau [truncated]
A denial-of-service vulnerability in Kibana's Timelion visualization engine allows authenticated low-privileged users to trigger uncontrolled memory consumption. The flaw stems from improper handling of deeply chained function calls in Timelion expressions, causing exponential growth of internal data structures that exhaust available memory and crash the Kibana service. This affects availability for all u [truncated]
A Server-Side Request Forgery (SSRF) vulnerability in Kibana allows authenticated users with connector management privileges to bypass operator-configured egress restrictions. The flaw exists in the Webhook connector functionality, where crafted target configurations can cause Kibana to issue outbound requests to destinations that should be blocked by allowlist controls. This represents a scope change (S: [truncated]
A stored HTML injection vulnerability in Kibana allows users with write access to an Elasticsearch index to persist unsanitized markup. When another user views affected Kibana views, the crafted content renders without adequate sanitization, potentially enabling unauthorized UI manipulation and outbound network requests from the victim's browser session. The vulnerability stems from improper neutralizatio [truncated]
CVE-2026-33464 is a medium-severity uncontrolled resource consumption vulnerability in Kibana, published 2026-05-28. An authenticated low-privileged user can submit an oversized payload to an internal Kibana API, causing resource exhaustion and denial of service. The vulnerability is classified as CWE-400 (Uncontrolled Resource Consumption) with attack pattern CAPEC-130 (Excessive Allocation). CVSS 3.1 sc [truncated]
A logic error in Kibana's time-bounded access token validation allows expired tokens to remain usable, enabling unauthorized information disclosure. The vulnerability stems from improper expiration timestamp validation (CWE-672), where tokens are not properly invalidated after their intended validity window expires. An unauthenticated actor in possession of such a token can retrieve associated content bey [truncated]
A path traversal vulnerability in Kibana's dashboard management functionality allows an authenticated low-privilege user to craft a malicious dashboard identifier. When an administrator subsequently deletes this dashboard through the Kibana interface, the deletion request is redirected to an unintended internal endpoint, potentially causing unauthorized deletion of user accounts or other resources. The at [truncated]
CVE-2015-1427 is a remote code execution issue associated with Elasticsearch’s Groovy scripting engine and is listed by CISA as a Known Exploited Vulnerability. For defenders, that means the risk is not theoretical: affected Elasticsearch deployments should be treated as patch-priority work and updated according to vendor instructions.
CVE-2014-3120 is a remote code execution issue affecting Elastic Elasticsearch and is listed in CISA’s Known Exploited Vulnerabilities catalog. CISA’s record indicates the issue has known exploitation activity and directs defenders to apply updates per vendor instructions.
CVE-2019-7609 is a Kibana arbitrary code execution vulnerability associated with Elastic. CISA added it to the Known Exploited Vulnerabilities catalog, which indicates known exploitation and makes patching a priority for defenders. The supplied authoritative sources identify the issue, but provide limited technical detail in this corpus; the safe response is to inventory affected Kibana deployments and ap [truncated]