CVE-2025-68385NVD

Vulnerability Summary

Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an authenticated user to embed a malicious script in content that will be served to web browsers causing cross-site scripting (XSS) (CAPEC-63) via a method in Vega bypassing a previous Vega XSS mitigation.

Severity Level

HIGH(7.2)

Published Date

Dec 18, 2025

Last Modified

Dec 23, 2025

Exploitation Status

????

EPSS Score (30-Day)

Data Pending

Root Weakness (CWE)

CWE-79: Cross-site Scripting (XSS) ↗

The software does not neutralize user-controllable input before it is placed in output that is used as a web page.

CVSS v3.1 Base Metrics

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredNone

User InteractionNone

ScopeChanged

ConfidentialityLow

IntegrityLow

AvailabilityNone

External References

https://discuss.elastic.co/t/kibana-8-19-9-9-1-9-and-9-2-3-security-update-esa-2025-34/384182