Elastic Patches Critical Kibana & Elasticsearch Flaws

Elastic has released security updates addressing five vulnerabilities in its Kibana and Elasticsearch components, including three critical Cross-Site Scripting (XSS) issues. These flaws could allow attackers to execute arbitrary scripts, leading to data theft and session hijacking. Other fixed vulnerabilities include a sensitive information disclosure in Elasticsearch audit logs and a credential leak in the Kibana CrowdStrike Connector. The issues affect multiple versions, with some flaws allowing credential exposure across different workspaces. Users are strongly urged to upgrade to the latest patched versions immediately to mitigate these risks.

Latest mentioned: 10-07

Earliest mentioned: 10-07

Sources

securityonline.info gbhackers.com

Also Read

PhantomRaven Supply-Chain Attack Infects npm Ecosystem

Koi Security has discovered a massive supply-chain attack called PhantomRaven, which has infected the npm ecosystem with 126 malicious packages downloaded over 86,000 times. The campaign, active since August 2025, steals npm authentication tokens, GitHub credentials, and CI/CD secrets by concealing malicious code in dependencies. The attackers used Remote Dynamic Dependencies (RDD) to bypass security scanners, making the packages appear harmless. The malware executed automatically during installation, performing aggressive reconnaissance and exfiltration. Koi Security noted the use of AI-driven slopsquatting to create plausible-sounding package names, tricking developers into trusting malicious packages.

10-31Read more →