Main Vulnerability Database Vulnerabilities #VU132761

Cross-site scripting in Kibana - CVE-2026-42401

Published: May 29, 2026

Vulnerability identifier: #VU132761

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-42401

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Elastic Stack

Affected software:
Kibana

Detailed vulnerability description

The vulnerability allows a remote user to manipulate the user interface and trigger outbound network requests from the victim's browser session.

The vulnerability exists due to cross-site scripting in an affected Kibana view when rendering crafted markup persisted in an Elasticsearch index. A remote user can store crafted markup in an Elasticsearch index to manipulate the user interface and trigger outbound network requests from the victim's browser session.

User interaction is required when another user views the affected Kibana content.

How to mitigate CVE-2026-42401

Install security update from vendor's website.

Sources

https://discuss.elastic.co/t/kibana-8-19-16-9-3-5-security-update-esa-2026-34/386552

Cross-site scripting in Kibana - CVE-2026-42401

Detailed vulnerability description

How to mitigate CVE-2026-42401

Sources

Please verify you're human