CVE-2026-42401 MEDIUM

CVE-2026-42401: Improper Neutralization of Input During Web Page Generation in Kibana Leading to Stored HTML Injection

Vendor Elastic
Product Kibana
Weakness CWE-79 · XSS
Published May 28, 2026
Last update May 29, 2026
View on NVD All CVEs

CVSS base score

4.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N

What the vulnerability does

01Description

Improper Neutralization of Input During Web Page Generation (CWE-79) in Kibana can lead to stored HTML injection. A user with write access to an Elasticsearch index could persist crafted markup which, when subsequently rendered through an affected Kibana view by another user, was not sufficiently sanitized. Successful exploitation could result in unauthorized UI manipulation and outbound network requests issued from the viewing user's browser session.

Key dates

02Disclosure timeline

May 28, 2026 CVE published
May 29, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-30180 WordPress Easy Social Feed plugin <= 6.5.3 - Cross Site Scripting (XSS) vulnerability CVE-2025-13730 OpenID Connect Generic Client <= 3.10.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode CVE-2025-54891 A user with elevated privileges can inject XSS in the ACL Resource Access configuration page CVE-2025-9754 Campcodes Online Hospital Management System Edit Profile edit-profile.php cross site scripting CVE-2024-10875 Gallery Manager <= 1.6.58 - Reflected Cross-Site Scripting