8.3
CVE-2025-64675 - Azure Cosmos DB Spoofing Vulnerability
Improper neutralization of input during web page generation ('cross-site scripting') in Azure Cosmos DB allows an unauthorized attacker to perform spoofing over a network.
9.1
CVE-2025-68398 - Weblate has git config file overwrite vulnerability that leads to remote code execution
Weblate is a web based localization tool. In versions prior to 5.15.1, it was possible to overwrite Git configuration remotely and override some of its behavior. Version 5.15.1 fixes the issue.
7.7
CVE-2025-68279 - Weblate has an arbitrary file read via symbolic links
Weblate is a web based localization tool. In versions prior to 5.15.1, it was possible to read arbitrary files from the server file system using crafted symbolic links in the repository. Version 5.15.1 fixes the issue.
4.3
CVE-2025-68422 - Kibana Improper Authorization
Improper Authorization (CWE-285) in Kibana can lead to privilege escalation (CAPEC-233) by allowing an authenticated user to bypass intended permission restrictions via a crafted HTTP request. This allows an attacker who lacks the live queries - read permission to successfully retrieve the list of β¦
4.3
CVE-2025-68386 - Kibana Improper Authorization
Improper Authorization (CWE-285) in Kibana can lead to privilege escalation (CAPEC-233) by allowing an authenticated user to change a document's sharing type to "global," even though they do not have permission to do so, making it visible to everyone in the space via a crafted a HTTP request.
4.9
CVE-2025-68390 - Elasticsearch Allocation of Resources Without Limits or Throttling
Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can allow an authenticated user with snapshot restore privileges to cause Excessive Allocation (CAPEC-130) of memory and a denial of service (DoS) via crafted HTTP request.
6.5
CVE-2025-68389 - Kibana Allocation of Resources Without Limits or Throttling
Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana can allow a low-privileged authenticated user to cause Excessive Allocation (CAPEC-130) of computing resources and a denial of service (DoS) of the Kibana process via a crafted HTTP request.
6.1
CVE-2025-68387 - Kibana Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an unauthenticated user to embed a malicious script in content that will be served to web browsers causing cross-site scripting (XSS) (CAPEC-63) via a vulnerability a function handler in the Vega ASβ¦
7.2
CVE-2025-68385 - Kibana Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an authenticated user to embed a malicious script in content that will be served to web browsers causing cross-site scripting (XSS) (CAPEC-63) via a method in Vega bypassing a previous Vega XSS mitiβ¦
6.5
CVE-2025-68384 - Elasticsearch Allocation of Resources Without Limits or Throttling
Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can allow a low-privileged authenticated user to cause Excessive Allocation (CAPEC-130) causing a persistent denial of service (OOM crash) via submission of oversized user settings data.