Elasticsearch
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any Elasticsearch product.
RSS Feeds for Elasticsearch security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in Elasticsearch products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by Elasticsearch Sorted by Most Security Vulnerabilities since 2018
By the Year
In 2026 there have been 0 vulnerabilities in Elasticsearch. Elasticsearch did not have any published security vulnerabilities last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 0 | 0.00 |
| 2024 | 0 | 0.00 |
| 2023 | 0 | 0.00 |
| 2022 | 0 | 0.00 |
| 2021 | 0 | 0.00 |
| 2020 | 5 | 0.00 |
| 2019 | 2 | 0.00 |
| 2018 | 1 | 6.10 |
It may take a day or so for new Elasticsearch vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Elasticsearch Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2020-7016 | Jul 27, 2020 |
Kibana versions before 6.8.11 and 7.8.1 contain a denial of service (DoS) flaw in TimelionKibana versions before 6.8.11 and 7.8.1 contain a denial of service (DoS) flaw in Timelion. An attacker can construct a URL that when viewed by a Kibana user can lead to the Kibana process consuming large amounts of CPU and becoming unresponsive. |
Kibana
|
| CVE-2020-7017 | Jul 27, 2020 |
In Kibana versions before 6.8.11 and 7.8.1 the region map visualization in contains a stored XSS flawIn Kibana versions before 6.8.11 and 7.8.1 the region map visualization in contains a stored XSS flaw. An attacker who is able to edit or create a region map visualization could obtain sensitive information or perform destructive actions on behalf of Kibana users who view the region map visualization. |
Kibana
|
| CVE-2020-7012 | Jun 03, 2020 |
Kibana versions 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2 contain a prototype pollution flaw in the Upgrade AssistantKibana versions 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2 contain a prototype pollution flaw in the Upgrade Assistant. An authenticated attacker with privileges to write to the Kibana index could insert data that would cause Kibana to execute arbitrary code. This could possibly lead to an attacker executing code with the permissions of the Kibana process on the host system. |
Kibana
|
| CVE-2020-7013 | Jun 03, 2020 |
Kibana versions before 6.8.9 and 7.7.0 contain a prototype pollution flaw in TSVBKibana versions before 6.8.9 and 7.7.0 contain a prototype pollution flaw in TSVB. An authenticated attacker with privileges to create TSVB visualizations could insert data that would cause Kibana to execute arbitrary code. This could possibly lead to an attacker executing code with the permissions of the Kibana process on the host system. |
Kibana
|
| CVE-2020-7015 | Jun 03, 2020 |
Kibana versions before 6.8.9 and 7.7.0 contains a stored XSS flaw in the TSVB visualizationKibana versions before 6.8.9 and 7.7.0 contains a stored XSS flaw in the TSVB visualization. An attacker who is able to edit or create a TSVB visualization could allow the attacker to obtain sensitive information from, or perform destructive actions, on behalf of Kibana users who edit the TSVB visualization. |
Kibana
|
| CVE-2019-7621 | Dec 18, 2019 |
Kibana versions before 6.8.6 and 7.5.1 contain a cross site scripting (XSS) flaw in the coordinate and region map visualizationsKibana versions before 6.8.6 and 7.5.1 contain a cross site scripting (XSS) flaw in the coordinate and region map visualizations. An attacker with the ability to create coordinate map visualizations could create a malicious visualization. If another Kibana user views that visualization or a dashboard containing the visualization it could execute JavaScript in the victim�s browser. |
Kibana
|
| CVE-2019-7616 | Jul 30, 2019 |
Kibana versions before 6.8.2 and 7.2.1 contain a server side request forgery (SSRF) flaw in the graphite integration for Timelion visualizerKibana versions before 6.8.2 and 7.2.1 contain a server side request forgery (SSRF) flaw in the graphite integration for Timelion visualizer. An attacker with administrative Kibana access could set the timelion:graphite.url configuration option to an arbitrary URL. This could possibly lead to an attacker accessing external URL resources as the Kibana process on the host system. |
Kibana
|
| CVE-2018-3819 | Mar 30, 2018 |
The fix in Kibana for ESA-2017-23 was incompleteThe fix in Kibana for ESA-2017-23 was incomplete. With X-Pack security enabled, Kibana versions before 6.1.3 and 5.6.7 have an open redirect vulnerability on the login page that would enable an attacker to craft a link that redirects to an arbitrary website. |
Kibana
|
| CVE-2017-11479 | Sep 29, 2017 |
Kibana versions prior to 5.6.1 had a cross-site scripting (XSS) vulnerability in TimelionKibana versions prior to 5.6.1 had a cross-site scripting (XSS) vulnerability in Timelion that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users. |
Kibana
|
| CVE-2015-8131 | Dec 07, 2015 |
Cross-site request forgery (CSRF) vulnerability in Elasticsearch Kibana before 4.1.3 and 4.2.x before 4.2.1Cross-site request forgery (CSRF) vulnerability in Elasticsearch Kibana before 4.1.3 and 4.2.x before 4.2.1 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. |
Kibana
|