Kibana 8.19.9, 9.1.9, and 9.2.3 Security Update (ESA-2025-35)

ismisepaul · December 18, 2025, 9:25pm

Kibana Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (ESA-2025-35)

Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an unauthenticated user to embed a malicious script in content that will be served to web browsers causing cross-site scripting (XSS) (CAPEC-63) via a vulnerability a function handler in the Vega AST evaluator.

Affected Versions:

7.x: All versions
8.x: All versions from 8.0.0 up to and including 8.19.8
9.x:
- All versions from 9.0.0 up to and including 9.1.8
- All versions from 9.2.0 up to and including 9.2.2

Solutions and Mitigations:

The issue is resolved in version 8.19.9, 9.1.9, and 9.2.3.

Severity: CVSSv3.1: 6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVE ID: CVE-2025-68387

Topic	Replies	Views
Kibana 8.19.9, 9.1.9, and 9.2.3 Security Update (ESA-2025-34) Security Announcements	73	December 18, 2025
Kibana 8.19.7, 9.1.7, 9.2.1 Security Update (ESA-2025-25) Security Announcements	1619	November 12, 2025
Kibana 8.19.8, 9.1.8, and 9.2.2 Security Update (ESA-2025-28) Security Announcements	738	December 15, 2025
Kibana 8.18.8, 8.19.5, 9.0.8, and 9.1.5 Security Update (ESA-2025-20) Security Announcements	4070	October 6, 2025
Kibana 8.18.8, 8.19.5, 9.0.8, 9.1.5 Security Update (ESA-2025-17) Security Announcements	2090	October 6, 2025

Kibana 8.19.9, 9.1.9, and 9.2.3 Security Update (ESA-2025-35)

Related topics