Kibana 8.18.8, 8.19.5, 9.0.8, 9.1.5 Security Update (ESA-2025-17)

Kibana Stored Cross-Site-Scripting(XSS) (ESA-2025-17)

Improper Validation of Specified Type of Input in Kibana can lead to stored Cross-Site-Scripting (XSS)

Affected Versions:

  • 7.x: All versions from 7.0.0 and up to and including 7.17.29
  • 8.x: All versions from 8.0.0 and up to and including 8.18.7
  • 8.19.x: All versions from 8.19.0 and up to and including 8.19.4
  • 9.0.x: All versions from 9.0.0 and up to and including 9.0.7
  • 9.1.x: All versions from 9.1.0 and up to and including 9.1.4

Affected Configurations:

A malicious user would need to have a role that includes All permissions under Management for Fleet and Integrations.

Solutions and Mitigations:

Users should upgrade to version 8.18.8 or 8.19.5 or 9.0.8 or 9.1.5.

Severity: CVSSv3.1: High (8.7) CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

CVE ID: CVE-2025-25018