Kibana 8.19.9, 9.1.9, and 9.2.3 Security Update (ESA-2025-34)

ismisepaul · December 18, 2025, 9:24pm

Kibana Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (ESA-2025-34)

Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an authenticated user to embed a malicious script in content that will be served to web browsers causing cross-site scripting (XSS) (CAPEC-63) via a method in Vega bypassing a previous Vega XSS mitigation.

Affected Versions:

7.x: All versions
8.x: All versions from 8.0.0 up to and including 8.19.8
9.x:
- All versions from 9.0.0 up to and including 9.1.8
- All versions from 9.2.0 up to and including 9.2.2

Solutions and Mitigations:

The issue is resolved in version 8.19.9, 9.1.9, and 9.2.3.

Severity: CVSSv3.1: 7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
CVE ID: CVE-2025-68385

Topic	Replies	Views
Kibana 8.19.9, 9.1.9, and 9.2.3 Security Update (ESA-2025-35) Security Announcements	88	December 18, 2025
Kibana 8.19.7, 9.1.7, 9.2.1 Security Update (ESA-2025-25) Security Announcements	1620	November 12, 2025
Kibana 8.18.8, 8.19.5, 9.0.8, and 9.1.5 Security Update (ESA-2025-20) Security Announcements	4070	October 6, 2025
Kibana 8.19.8, 9.1.8, and 9.2.2 Security Update (ESA-2025-28) Security Announcements	744	December 15, 2025
Kibana 8.18.8, 8.19.4, 9.0.7, 9.1.4 Security Update (ESA-2025-16) Security Announcements	2801	October 6, 2025

Kibana 8.19.9, 9.1.9, and 9.2.3 Security Update (ESA-2025-34)

Related topics