CVE-2026-42401— Improper Neutralization of Input During Web Page Generation in Kibana Leading to Stored HTML Injection
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-42401
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Improper Neutralization of Input During Web Page Generation in Kibana Leading to Stored HTML Injection
Source: NVD (National Vulnerability Database)
Vulnerability Description
Improper Neutralization of Input During Web Page Generation (CWE-79) in Kibana can lead to stored HTML injection. A user with write access to an Elasticsearch index could persist crafted markup which, when subsequently rendered through an affected Kibana view by another user, was not sufficiently sanitized. Successful exploitation could result in unauthorized UI manipulation and outbound network requests issued from the viewing user's browser session.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Elastic Kibana 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Elastic Kibana是Elastic公司的一个可用数据可视化仪表板软件。 Elastic Kibana存在安全漏洞,该漏洞源于输入中和不当,可能导致具有Elasticsearch索引写入权限的用户持久化特制标记,当其他用户通过受影响的Kibana视图渲染时,可能导致未经授权的UI操作和出站网络请求。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-42401
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-42401
请登录查看更多情报信息。
Other References for CVE-2026-42401 (1)
Same Patch Batch · Elastic · 2026-05-28 · 10 CVEs total
| CVE-2026-42398 | 7.7 HIGH | Server-Side Request Forgery (SSRF) in Kibana Leading to Unauthorized Network Access |
| CVE-2026-49095 | 7.2 HIGH | Improper Input Validation in Kibana Fleet Leading to Privilege Escalation |
| CVE-2026-33464 | 6.5 MEDIUM | Uncontrolled Resource Consumption in Kibana Leading to Denial of Service |
| CVE-2026-42399 | 6.5 MEDIUM | Uncontrolled Resource Consumption in Kibana Leading to Denial of Service |
| CVE-2026-42400 | 6.5 MEDIUM | Uncontrolled Resource Consumption in Kibana Leading to Denial of Service |
| CVE-2026-49094 | 6.5 MEDIUM | Uncontrolled Resource Consumption in Kibana Leading to Denial of Service |
| CVE-2026-49093 | 6.3 MEDIUM | Server-Side Request Forgery (SSRF) in Kibana Leading to Unauthorized Network Access |
| CVE-2026-33463 | 5.3 MEDIUM | Operation on a Resource after Expiration or Termination in Kibana Leading to Unauthorized |
| CVE-2026-33462 | 4.6 MEDIUM | Path Traversal in Kibana Leading to Unauthorized Deletion of User Accounts |
IV. Related Vulnerabilities
Same product: Kibana
- CVE-2026-49093
Server-Side Request Forgery (SSRF) in Kibana Leading to Unau - CVE-2026-49094
Uncontrolled Resource Consumption in Kibana Leading to Denia - CVE-2026-49095
Improper Input Validation in Kibana Fleet Leading to Privile - CVE-2026-42398
Server-Side Request Forgery (SSRF) in Kibana Leading to Unau - CVE-2026-42399
Uncontrolled Resource Consumption in Kibana Leading to Denia
Same vendor: Elastic
- CVE-2026-49093
Server-Side Request Forgery (SSRF) in Kibana Leading to Unau - CVE-2026-49094
Uncontrolled Resource Consumption in Kibana Leading to Denia - CVE-2026-49095
Improper Input Validation in Kibana Fleet Leading to Privile - CVE-2026-42398
Server-Side Request Forgery (SSRF) in Kibana Leading to Unau - CVE-2026-42399
Uncontrolled Resource Consumption in Kibana Leading to Denia
Same weakness: CWE-79
- CVE-2026-10173
Orthanc Explorer 2 URL StudyList.vue cross site scripting - CVE-2026-10153
westboy CicadasCMS AbstractCacheManager.java search cross si - CVE-2026-10112
sambitraj STUDENT-MANAGEMENT-SYSTEM Dashboard cross site scr - CVE-2026-34127
Stored Cross-Site Scripting (XSS) via Configuration File Imp - CVE-2026-49384
PyCharm < 2025.3.4 Jupyter笔记存储型XSS漏洞
V. Comments for CVE-2026-42401
No comments yet