CVE-2025-25009 HIGH

CVE-2025-25009: Kibana Cross-Site Scripting (XSS)

Vendor Elastic

Product Kibana

Weakness CWE-79 · XSS

Published October 7, 2025

Last update October 7, 2025

View on NVD All CVEs

CVSS base score

8.7/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction Required

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

What the vulnerability does

01Description

Improper Neutralization of Input During Web Page Generation in Kibana can lead to Stored XSS via case file upload.

Key dates

02Disclosure timeline

October 7, 2025 CVE published

October 7, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-25009

Related vulnerabilities

04Related CVE

CVE-2025-48378 Dnn.Platform vulnerable to Stored Cross-Site Scripting (XSS) with svg files rendered inline CVE-2026-32852 MailEnable < 10.55 Reflected XSS via FreeBusy.aspx StartDate Parameter CVE-2025-32180 WordPress Product Carousel For WooCommerce – WoorouSell plugin <= 1.1.0 - Cross Site Scripting (XSS) vulnerability CVE-2023-48537 Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79) CVE-2026-4730 Charts Ninja: Create Beautiful Graphs & Charts and Easily Add Them to Your Website <= 2.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'chartid' Shortcode Attribute

Identifiers

CVE CVE-2025-25009

CWE CWE-79

CVSS 8.7 / HIGH

Affected versions

Vendor Elastic

Product Kibana

Affected ≥ 7.0.0 and ≤ 7.17.29

Vendor Elastic

Product Kibana

Affected ≥ 8.14.0 and ≤ 8.18.7

Vendor Elastic

Product Kibana

Affected ≥ 8.19.0 and ≤ 8.19.4

Vendor Elastic

Product Kibana

Affected ≥ 9.0.0 and ≤ 9.0.7

Vendor Elastic

Product Kibana

Affected ≥ 9.1.0 and ≤ 9.1.4