{"id":"CVE-2023-31414","details":"Kibana versions 8.0.0 through 8.7.0 contain an arbitrary code execution flaw. An attacker with write access to Kibana yaml or env configuration could add a specific payload that will attempt to execute JavaScript code. This could lead to the attacker executing arbitrary commands on the host system with permissions of the Kibana process.","modified":"2026-04-10T04:57:37.756581Z","published":"2023-05-04T21:15:11.703Z","references":[{"type":"ADVISORY","url":"https://discuss.elastic.co/t/kibana-8-7-1-security-updates/332330"},{"type":"ADVISORY","url":"https://www.elastic.co/community/security/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/elastic/kibana","events":[{"introduced":"57ca5e139a33dd2eed927ce98d8231a1f217cd15"},{"last_affected":"05f12599523732051b84dde0b8d5610e0db2b06d"}],"database_specific":{"versions":[{"introduced":"8.0.0"},{"last_affected":"8.7.0"}]}}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-31414.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}