CVE-2026-42401
Stored HTML Injection in Kibana
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: Elastic
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| elastic | kibana | to 8.19.15 (inc) |
| elastic | kibana | to 9.3.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-42401 is a vulnerability in Kibana versions 8.x and 9.x that involves improper neutralization of input during web page generation, leading to stored HTML injection.
A user with write access to an Elasticsearch index can inject crafted markup that is not properly sanitized when rendered in Kibana views for other users.
This flaw allows attackers to manipulate the user interface and cause outbound network requests from the affected user's browser session.
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to unauthorized manipulation of the Kibana user interface.
It can also cause outbound network requests to be issued from the browser session of the user viewing the injected content, potentially leading to further attacks or data leakage.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if your Kibana installation is within the affected versions (8.0.0 to 8.19.15 or 9.0.0 to 9.3.4) and if there is any presence of stored HTML injection attempts in Elasticsearch indices writable by users.
Since the vulnerability involves stored HTML injection via user input in Elasticsearch indices, you can inspect the data stored in these indices for suspicious or crafted markup that could be malicious.
There are no specific commands provided in the resources, but general approaches include querying Elasticsearch indices for unusual HTML or script tags in fields that accept user input.
- Use Elasticsearch query DSL to search for suspicious markup, for example: a query searching for '<script>' or other HTML tags in relevant fields.
- Check the Kibana version by running: `kibana --version` or checking the Kibana UI about page to confirm if it is within the vulnerable range.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Kibana to a fixed version: 8.19.16 or later for the 8.x series, or 9.3.5 or later for the 9.x series.
Restrict write access to Elasticsearch indices to trusted users only, minimizing the risk of malicious markup injection.
Monitor and sanitize user inputs that are stored in Elasticsearch indices to prevent injection of crafted markup.
Since this vulnerability affects self-hosted plugins and deployments, consider reviewing plugin configurations and disabling any unnecessary plugins that might increase risk.