252 CVEs

3 in CISA KEV

Elastic Vulnerabilities

CVE security advisories and vulnerability history for Elastic.

252

Total CVEs

Published

3

In CISA KEV

Exploited in the wild

11

Public exploits

With known exploit

6.5

Avg CVSS

2014–2026

Overview

Elastic has 252 published CVE records since 2014, of which 3 are in CISA's Known Exploited Vulnerabilities catalog and 11 have a known public exploit. The average CVSS base score across scored CVEs is 6.5.

This page aggregates every publicly disclosed vulnerability (CVE) affecting Elastic products, with severity breakdowns, the most-affected products, the most common weakness types, and the latest disclosures.

Severity and exploitation

How the CVSS severity of Elastic's CVEs breaks down, plus how many are exploited in the wild or have public exploit code.

Critical12

High29

Medium96

Low2

113 additional CVEs have no CVSS severity score.

In CISA’s Known Exploited Vulnerabilities catalog

3

3 of Elastic's CVEs are confirmed exploited in the wild.

Public exploits

11

11 of Elastic's CVEs have a known public exploit available.

Most affected products

The Elastic products with the most published CVEs.

Kibana118 CVEs
Elasticsearch49 CVEs
org.elasticsearch:elasticsearch41 CVEs
elk39 CVEs
logstash16 CVEs
x-pack10 CVEs
elastic cloud enterprise10 CVEs
beats8 CVEs

Common weakness types

The CWE weakness categories most often found in Elastic CVEs. Follow any weakness for its full explanation.

CNAs that assign these CVEs

The CVE Numbering Authorities that publish Elastic CVE records.

Disclosure activity by year

How many Elastic CVEs were published each year.

2019

14

2020

13

2021

21

2022

12

2023

31

2024

21

2025

49

2026

33

Latest Elastic CVEs

The most recently disclosed vulnerabilities affecting Elastic.

Server-Side Request Forgery (SSRF) in Kibana Leading to Unauthorized Network Access
CWE-918
Medium · CVSS 6.3
EPSS 0.0%2026-05-28
Uncontrolled Resource Consumption in Kibana Leading to Denial of Service
CWE-400
Medium · CVSS 6.5
EPSS 0.0%2026-05-28
Improper Input Validation in Kibana Fleet Leading to Privilege Escalation
CWE-20
High · CVSS 7.2
EPSS 0.0%2026-05-28
Server-Side Request Forgery (SSRF) in Kibana Leading to Unauthorized Network Access
CWE-918
High · CVSS 7.7
EPSS 0.0%2026-05-28
Uncontrolled Resource Consumption in Kibana Leading to Denial of Service
CWE-400
Medium · CVSS 6.5
EPSS 0.0%2026-05-28
Uncontrolled Resource Consumption in Kibana Leading to Denial of Service
CWE-400
Medium · CVSS 6.5
EPSS 0.0%2026-05-28
Improper Neutralization of Input During Web Page Generation in Kibana Leading to Stored HTML Injection
CWE-79
Medium · CVSS 4.1
EPSS 0.0%2026-05-28
Operation on a Resource after Expiration or Termination in Kibana Leading to Unauthorized File Access
CWE-672
Medium · CVSS 5.3
EPSS 0.1%2026-05-28
Uncontrolled Resource Consumption in Kibana Leading to Denial of Service
CWE-400
Medium · CVSS 6.5
EPSS 0.0%2026-05-28
Path Traversal in Kibana Leading to Unauthorized Deletion of User Accounts
CWE-22
Medium · CVSS 4.6
EPSS 0.0%2026-05-28
Improper Verification of Cryptographic Signature in Elastic Package Registry Leading to Package Integrity Bypass
CWE-347
Medium · CVSS 5.9
EPSS 0.0%2026-04-28
Improper Limitation of a Pathname to a Restricted Directory in Logstash Leading to Arbitrary File Write
CWE-22
High · CVSS 8.1
EPSS 0.6%2026-04-08

Track new Elastic CVEs as they are disclosed and get AI-written analysis and remediation guidance.

Monitor Elastic CVEs

Other vendors

Browse vulnerabilities for other tracked vendors.

artifex259 CVEs isc259 CVEs sgi259 CVEs org.jenkins-ci.main258 CVEs ABB250 CVEs samba248 CVEs progress247 CVEs SonicWall246 CVEs

Browse all vendors

Frequently asked questions

Common questions about Elastic vulnerabilities.

How many CVEs does Elastic have?

Elastic has 252 published CVE records since 2014, including 82 in the last two years.

How many Elastic CVEs are in CISA KEV?

Yes — 3 of Elastic's CVEs are listed in CISA's Known Exploited Vulnerabilities catalog, confirmed exploited in the wild and carrying a CISA remediation deadline.

Which Elastic products have the most CVEs?

The Elastic products with the most published CVEs are Kibana, Elasticsearch, org.elasticsearch:elasticsearch, elk, logstash.

What are the most common weakness types in Elastic CVEs?

Elastic's CVEs most often map to these CWE weakness types: CWE-79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')), CWE-532 (Insertion of Sensitive Information into Log File), CWE-400 (Uncontrolled Resource Consumption), CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor).

Are there public exploits for Elastic vulnerabilities?

Yes — 11 of Elastic's CVEs have a known public exploit.

How many critical Elastic vulnerabilities are there?

Elastic has 12 critical and 29 high-severity CVEs.

What is the average severity of Elastic CVEs?

The average CVSS base score across Elastic's scored CVEs is 6.5.

References

Vulnerability data is sourced from the CVE Program; severity, KEV, and exploit signals are aggregated by RadicalNotion.AI.

Track Elastic vulnerabilities

Monitor new Elastic vulnerabilities as they are disclosed, with AI-written analysis and remediation guidance.

Start free See pricing