CVE-2025-68387

Summary

Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an unauthenticated user to embed a malicious script in content that will be served to web browsers causing cross-site scripting (XSS) (CAPEC-63) via a vulnerability a function handler in the Vega AST evaluator.

Affected Software

VendorProductVersion RangeStatus
ElasticKibana7.0.0 <= 7.17.29affected
ElasticKibana8.0.0 <= 8.19.8affected
ElasticKibana9.0.0 <= 9.1.8affected
ElasticKibana9.2.0 <= 9.2.2affected

Weaknesses

  • CWE-79: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References