Improper Encoding or Escaping of Output Affecting kibana package, versions >=7.0.0 <7.17.15>=8.0.0 <8.11.1


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.2% (11th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JS-KIBANA-17875453
  • published7 Jul 2026
  • disclosed1 Jul 2026
  • creditUnknown

Introduced: 1 Jul 2026

NewCVE-2026-49091  (opens in a new tab)
CWE-116  (opens in a new tab)

How to fix?

Upgrade kibana to version 7.17.15, 8.11.1 or higher.

Overview

kibana is an open source (Apache Licensed), browser-based analytics and search dashboard for Elasticsearch.

Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output via improper output neutralization for logs. An attacker can manipulate log entries by supplying specially crafted input that is written to log files without proper neutralization, potentially altering the displayed log data when viewed in a terminal that interprets control sequences.

References

CVSS Base Scores

version 4.0
version 3.1