Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Elastic — Vulnerabilities & Security Advisories 223

Browse all 223 CVE security advisories affecting Elastic. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Elastic operates as a search and analytics engine, primarily powering the ELK Stack for log management and data visualization. With 223 recorded Common Vulnerabilities and Exposures, the platform has historically been susceptible to critical flaws, including remote code execution, cross-site scripting, and privilege escalation vulnerabilities. These issues often stem from improper input validation and authentication bypasses within its Java-based architecture. Notable incidents involve unauthorized access to sensitive data through exposed APIs, highlighting risks associated with default configurations. The sheer volume of CVEs suggests persistent challenges in securing complex distributed systems. While the software remains a cornerstone for enterprise search, its extensive attack surface requires rigorous patching and strict access controls to mitigate the high probability of exploitation by threat actors targeting its widespread deployment infrastructure.

Top products by Elastic: Kibana Elasticsearch Logstash Packetbeat Elastic X-Pack Security Elastic Cloud Enterprise APM Server Beats Elastic Enterprise Search Elastic Agent Elastic Cloud Enterprise (ECE) X-Pack Security Elasticsearch X-Pack Machine Learning Elastic Defend Fleet Server Metricbeat Elastic Cloud on Kubernetes Elastic App Search Filebeat Elastic Endpoint Security Elastic Package Registry Elastic APM Java Agent Elastic APM .NET Agent Elastic Sharepoint Online Python Connector Elasticsearch-Hadoop Enterprise Search Elastic Network Drive Connector Elastic Agent and Elastic Defend Endpoint Elastic Endpoint Security and Elastic Endgame Security
CVE IDTitleCVSSSeverityPublished
CVE-2025-68383 Filebeat Improper Validation of Specified Index, Position, or Offset in Input — FilebeatCWE-1284 6.5 Medium2025-12-18
CVE-2025-68382 Packetbeat Out-of-bounds Read — PacketbeatCWE-125 6.5 Medium2025-12-18
CVE-2025-68381 Packetbeat Improper Bounds Check — PacketbeatCWE-787 6.5 Medium2025-12-18
CVE-2025-68388 Elastic Packetbeat 安全漏洞 — PacketbeatCWE-770 5.3 Medium2025-12-18
CVE-2025-37731 Elasticsearch Improper Authentication — ElasticsearchCWE-287 6.8 Medium2025-12-15
CVE-2025-37732 Kibana Cross-site Scripting via the Integration Package Upload Functionality — KibanaCWE-79 5.4 Medium2025-12-15
CVE-2025-37734 Kibana Origin Validation Error — KibanaCWE-346 4.3 Medium2025-11-12
CVE-2025-37736 Elastic Cloud Enterprise Improper Authorization — Elastic Cloud Enterprise (ECE)CWE-863 8.8 High2025-11-07
CVE-2025-37735 Elastic Defend 安全漏洞 — KibanaCWE-281 7.0 High2025-11-06
CVE-2025-37729 Elastic Cloud Enterprise (ECE) Improper Neutralization of Special Elements Used in a Template Engine — Elastic Cloud Enterprise (ECE)CWE-1336 9.1 Critical2025-10-13
CVE-2025-37727 Elasticsearch Insertion of sensitive information in log file — ElasticsearchCWE-532 5.7 Medium2025-10-10
CVE-2025-25017 Kibana Stored Cross-Site Scripting (XSS) — KibanaCWE-79 8.2 High2025-10-10
CVE-2025-25018 Kibana Stored Cross-Site Scripting (XSS) — KibanaCWE-79 8.7 High2025-10-10
CVE-2025-25009 Kibana Cross-Site Scripting (XSS) — KibanaCWE-79 8.7 High2025-10-07
CVE-2025-37728 Kibana Insufficiently Protected Credentials in the CrowdStrike Connector — KibanaCWE-522 5.4 Medium2025-10-07
CVE-2025-25010 Kibana privilege escalation via reporting_user role — KibanaCWE-863 6.5 Medium2025-08-28
CVE-2025-25011 Beats Uncontrolled Search Path Element can lead to Local Privilege Escalation (LPE) when using the Windows Installer — BeatsCWE-427 7.0 High2025-07-30
CVE-2025-0712 APM Server Uncontrolled Search Path Element can lead to Local Privilege Escalation (LPE) when using the Windows Installer — APM ServerCWE-427 7.0 High2025-07-30
CVE-2025-25012 Kibana Open Redirect — KibanaCWE-601 4.3 Medium2025-06-25
CVE-2024-43706 Kibana Improper Authorization — KibanaCWE-285 7.6 High2025-06-10
CVE-2025-25014 Kibana arbitrary code execution via prototype pollution — KibanaCWE-1321 9.1 Critical2025-05-06
CVE-2025-37730 Logstash Improper Certificate Validation in TCP output — LogstashCWE-295 6.5 Medium2025-05-06
CVE-2024-52979 Elasticsearch Uncontrolled Resource Consumption vulnerability — ElasticsearchCWE-400 6.5 Medium2025-05-01
CVE-2024-11390 Kibana Unrestricted Upload of File with Dangerous Type Can Lead to XSS — KibanaCWE-434 5.4 Medium2025-05-01
CVE-2025-25016 Kibana Unrestricted Upload of File — KibanaCWE-434 4.3 Medium2025-05-01
CVE-2024-11994 APM Server Insertion of Sensitive Information into Log File — APM ServerCWE-200 5.7 Medium2025-05-01
CVE-2024-52976 Elastic Agent Inclusion of Functionality from Untrusted Control Sphere — Elastic AgentCWE-829 4.4 Medium2025-05-01
CVE-2023-46669 Elastic Agent / Elastic Endpoint Security local API key disclosure — Elastic Agent and Elastic DefendCWE-200 6.2 Medium2025-05-01
CVE-2025-25013 Elastic Defend Insertion of Sensitive Information into Log Files — Elastic DefendCWE-532 6.5 Medium2025-04-08
CVE-2024-12556 Kibana Prototype Pollution can lead to code injection — KibanaCWE-1321 8.7 High2025-04-08

This page lists every published CVE security advisory associated with Elastic. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.