{"id":"CVE-2025-25018","details":"Improper Neutralization of Input During Web Page Generation in Kibana can lead to stored Cross-Site Scripting (XSS)","aliases":["BIT-elk-2025-25018","BIT-kibana-2025-25018"],"modified":"2026-04-10T05:23:10.076065Z","published":"2025-10-10T10:15:33.743Z","related":["CGA-2rwr-cc4x-v56q"],"references":[{"type":"ADVISORY","url":"https://https://discuss.elastic.co/t/kibana-8-18-8-8-19-5-9-0-8-9-1-5-security-update-esa-2025-17/382451"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/elastic/kibana","events":[{"introduced":"ee89fda8a17eff9c93f7400c102edf76cb4d7d8a"},{"fixed":"08ece643671f3ee61a7297b3e67aa99e79a1aef7"},{"introduced":"ffd7cbf34ac1234c78354f2a22ef5f1703c04eaf"},{"fixed":"2ceb68bd03a3cc20c26495ec986ed4f244589d69"},{"introduced":"504d6bfa94cca17fabb76e06152c30c4f0c3efdd"},{"fixed":"16276053a4c29c654785bb35bce6b512c15435b1"},{"introduced":"9f30374092edd41719399f7ef81cb7ae78d8a3ab"},{"fixed":"4a62c99c68a5156b84e1bf986d47e0a317591820"}],"database_specific":{"versions":[{"introduced":"7.0.0"},{"fixed":"8.18.8"},{"introduced":"8.19.0"},{"fixed":"8.19.5"},{"introduced":"9.0.0"},{"fixed":"9.0.8"},{"introduced":"9.1.0"},{"fixed":"9.1.5"}]}}],"versions":["v8.19.0","v8.19.1","v8.19.2","v8.19.3","v8.19.4","v9.0.0","v9.0.1","v9.0.2","v9.0.3","v9.0.4","v9.0.5","v9.0.6","v9.0.7","v9.1.0","v9.1.1","v9.1.2","v9.1.3","v9.1.4"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-25018.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}]}