Cross-site Scripting (XSS) Affecting kibana-9.3-advanced package, versions <9.3.6-r0


Severity

Recommended
low

Based on default assessment until relevant scores are available.

Threat Intelligence

EPSS
0.2% (11th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-MINIMOSLATEST-KIBANA93ADVANCED-17434665
  • published24 Jun 2026
  • disclosed17 Jun 2026

Introduced: 17 Jun 2026

NewCVE-2026-44644  (opens in a new tab)
CWE-79  (opens in a new tab)

How to fix?

Upgrade Minimos:latest kibana-9.3-advanced to version 9.3.6-r0 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream kibana-9.3-advanced package and not the kibana-9.3-advanced package as distributed by Minimos. See How to fix? for Minimos:latest relevant fixed versions and status.

LiquidJS is a Shopify/GitHub Pages compatible template engine written in pure JavaScript. Versions 10.25.7 and below are vulnerable to XSS through a flaw in the strip_html filter logic. The strip_html filter is intended to remove HTML tags from a string before rendering, and is widely used as an XSS sanitizer. The implementation uses a regex whose catch-all branch (<.*?>) does not match line terminators, so any HTML tag containing a \n or \r character passes through unmodified. An attacker who can place a newline inside a tag (e.g. <img\nsrc=x\nonerror=alert(1)>) bypasses sanitization entirely, since browsers treat newlines as whitespace within a tag and execute the resulting onerror/onload/etc. handler. Exploitation is possible for applications that both render attacker-controlled strings via {{ x | strip_html }} to defend against HTML injection and do not separately HTML-escape that output (default behavior — outputEscape is unset by default). This issue has been fixed in version 10.26.0.