elasticsearch

Top products

The 15 most recently published vulnerabilities affecting elasticsearch.

• CVE-2026-26933Improper Validation of Array Index in Packetbeat Leading to Denial of Service5.7Mar 19, 2026
• CVE-2025-68382Packetbeat Out-of-bounds Read6.5Dec 18, 2025
• CVE-2025-68381Packetbeat Improper Bounds Check6.5Dec 18, 2025
• CVE-2025-68388Allocation of resources without limits or throttling (CWE-770) allows an unauthenticated remote attacker to cause excessive allocation (CAPEC-130) of memory and CPU via the integration of malicious...5.3Dec 18, 2025
• CVE-2020-7016Kibana versions before 6.8.11 and 7.8.1 contain a denial of service (DoS) flaw in Timelion. An attacker can construct a URL that when viewed by a Kibana user can lead to the Kibana process consumin...4.8Jul 27, 2020
• CVE-2020-7017In Kibana versions before 6.8.11 and 7.8.1 the region map visualization in contains a stored XSS flaw. An attacker who is able to edit or create a region map visualization could obtain sensitive in...6.7Jul 27, 2020
• CVE-2017-11480Packetbeat versions prior to 5.6.4 are affected by a denial of service flaw in the PostgreSQL protocol handler. If Packetbeat is listening for PostgreSQL traffic and a user is able to send arbitrar...7.5Dec 8, 2017
• CVE-2017-8444The client-forwarder in Elastic Cloud Enterprise versions prior to 1.0.2 do not properly encrypt traffic to ZooKeeper. If an attacker is able to man in the middle (MITM) the traffic between the cli...5.9Sep 28, 2017
• CVE-2017-11479Kibana versions prior to 5.6.1 had a cross-site scripting (XSS) vulnerability in Timelion that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf ...6.1Sep 28, 2017
• CVE-2017-14730The init script in the Gentoo app-admin/logstash-bin package before 5.5.3 and 5.6.x before 5.6.1 has "chown -R" calls for user-writable directory trees, which allows local users to gain privileges ...7.8Sep 25, 2017
• CVE-2017-8446The Reporting feature in X-Pack in versions prior to 5.5.2 and standalone Reporting plugin versions versions prior to 2.4.6 had an impersonation vulnerability. A user with the reporting_user role c...5.3Aug 18, 2017
• CVE-2015-4165The snapshot API in Elasticsearch before 1.6.0 when another application exists on the system that can read Lucene files and execute code from them, is accessible by the attacker, and the Java VM on...7.5Aug 9, 2017
• CVE-2015-5619Logstash 1.4.x before 1.4.5 and 1.5.x before 1.5.4 with Lumberjack output or the Logstash forwarder does not validate SSL/TLS certificates from the Logstash server, which might allow attackers to o...5.9Aug 9, 2017
• CVE-2015-5378Logstash 1.5.x before 1.5.3 and 1.4.x before 1.4.4 allows remote attackers to read communications between Logstash Forwarder agent and Logstash server.7.5Jun 27, 2017
• CVE-2016-10362Prior to Logstash version 5.0.1, Elasticsearch Output plugin when updating connections after sniffing, would log to file HTTP basic auth credentials.6.5Jun 16, 2017