We have hosted a dockerized elastic stack in AWS ec2 instance and ran nessus scan on that instance. In the report of nessus scan, Web Server Generic XSS vulnerability is detected in elasticsearch. Currently we are using 6.6.1 version.
Please do not open public topics on potential security issues, we have a documented process for reporting these through : https://www.elastic.co/community/security
Regarding this specific one though, it's a false positive. Elasticsearch uses the HTTP protocol to service json requests via APIs. As such, when there is a bad request, we return a descriptive error message that often contains portions of the request passed to the API. It is common for some security scanners to incorrectly interpret this as an XSS. If the actual response is investigated it should have a content-type of json and indeed be returning json content. Web browsers will not interpret this as HTML.