GCVE - cpe:2.3:a:elastic:kibana:9.3.0:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:elastic:kibana:9.3.0:*:*:*:*:*:*:*

part: a version: 9.3.0 update: *

Vendor	Elastic (`1d0b8d2a-fd47-5b20-b005-34326f9bd037`)
Product	Kibana (`c13ee88f-9cd3-57c3-8d6e-bbf4a9872328`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from NVD CPE 2.0 feed

PURL mappings

PURL	Source	Last updated
`pkg:docker/elastic/kibana`	purl2cpe	2026-06-01 10:15:15.205905
`pkg:github/elastic/kibana`	purl2cpe	2026-06-01 10:15:15.205906
`pkg:rpm/opensuse/kibana`	purl2cpe	2026-06-01 10:15:15.205908

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2026-26939`	vulnerable	2026-06-03 15:18:05.808598	Missing Authorization in Kibana Leading to Unauthorized Endpoint Response Action Configuration MEDIUM (6.5) Missing Authorization (CWE-862) in Kibana’s server-side Detection Rule Management can lead to Unauthorized Endpoint Response Action Configuration (host isolation, process termination, and process suspension) via CAPEC-1 (Accessing Functionality Not Properly Constrained by ACLs). This requires an authenticated attacker with rule management privileges. Published: 2026-03-19T17:11:16.507Z Updated: 2026-03-19T17:50:30.754Z Open on db.gcve.eu Reference links https://discuss.elastic.co/t/kibana-8-19-12-9-2-6-9-3-1-security-update-esa-2026-19/385530	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2026-26938`	vulnerable	2026-06-03 15:18:05.808293	Improper Neutralization of Special Elements Used in a Template Engine in Kibana Workflows Leading to Server-Side Request Forgery (SSRF) HIGH (8.6) Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) exists in Workflows in Kibana which could allow an attacker to read arbitrary files from the Kibana server filesystem, and perform Server-Side Request Forgery (SSRF) via Code Injection (CAPEC-242). This requires an authenticated user who has the workflowsManagement:executeWorkflow privilege. Published: 2026-02-26T17:56:48.611Z Updated: 2026-02-27T16:03:59.847Z Open on db.gcve.eu Reference links https://discuss.elastic.co/t/kibana-9-3-1-security-update-esa-2026-17/385253	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2026-26935`	vulnerable	2026-06-03 15:18:05.807270	Improper Input Validation in Kibana Leading to Denial of Service MEDIUM (6.5) Improper Input Validation (CWE-20) in the internal Content Connectors search endpoint in Kibana can lead Denial of Service via Input Data Manipulation (CAPEC-153) Published: 2026-02-26T17:05:16.619Z Updated: 2026-02-26T18:28:11.607Z Open on db.gcve.eu Reference links https://discuss.elastic.co/t/kibana-8-19-12-9-2-6-9-3-1-security-update-esa-2026-13/385249	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2026-26934`	vulnerable	2026-06-03 15:18:05.806818	Improper Validation of Specified Quantity in Input in Kibana Leading to Denial of Service MEDIUM (6.5) Improper Validation of Specified Quantity in Input (CWE-1284) in Kibana can allow an authenticated attacker with view-only privileges to cause a Denial of Service via Input Data Manipulation (CAPEC-153). An attacker can send a specially crafted, malformed payload causing excessive resource consumption and resulting in Kibana becoming unresponsive or crashing. Published: 2026-02-26T17:03:17.242Z Updated: 2026-02-26T18:28:11.925Z Open on db.gcve.eu Reference links https://discuss.elastic.co/t/kibana-8-19-12-9-2-6-9-3-1-security-update-esa-2026-12/385248	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.