4.3
CVE-2025-68386 - Kibana Improper Authorization
Improper Authorization (CWE-285) in Kibana can lead to privilege escalation (CAPEC-233) by allowing an authenticated user to change a document's sharing type to "global," even though they do not have permission to do so, making it visible to everyone in the space via a crafted a HTTP request.
4.9
CVE-2025-68390 - Elasticsearch Allocation of Resources Without Limits or Throttling
Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can allow an authenticated user with snapshot restore privileges to cause Excessive Allocation (CAPEC-130) of memory and a denial of service (DoS) via crafted HTTP request.
6.5
CVE-2025-68389 - Kibana Allocation of Resources Without Limits or Throttling
Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana can allow a low-privileged authenticated user to cause Excessive Allocation (CAPEC-130) of computing resources and a denial of service (DoS) of the Kibana process via a crafted HTTP request.
6.1
CVE-2025-68387 - Kibana Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an unauthenticated user to embed a malicious script in content that will be served to web browsers causing cross-site scripting (XSS) (CAPEC-63) via a vulnerability a function handler in the Vega ASβ¦
7.2
CVE-2025-68385 - Kibana Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an authenticated user to embed a malicious script in content that will be served to web browsers causing cross-site scripting (XSS) (CAPEC-63) via a method in Vega bypassing a previous Vega XSS mitiβ¦
6.5
CVE-2025-68384 - Elasticsearch Allocation of Resources Without Limits or Throttling
Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can allow a low-privileged authenticated user to cause Excessive Allocation (CAPEC-130) causing a persistent denial of service (OOM crash) via submission of oversized user settings data.
8.2
CVE-2025-64677 - Office Out-of-Box Experience Spoofing Vulnerability
Improper neutralization of input during web page generation ('cross-site scripting') in Office Out-of-Box Experience allows an unauthorized attacker to perform spoofing over a network.
7.2
CVE-2025-64676 - Microsoft Purview eDiscovery Remote Code Execution Vulnerability
'.../...//' in Microsoft Purview allows an authorized attacker to execute code over a network.
10
CVE-2025-65037 - Azure Container Apps Remote Code Execution Vulnerability
Improper control of generation of code ('code injection') in Azure Container Apps allows an unauthorized attacker to execute code over a network.
10
CVE-2025-65041 - Microsoft Partner Center Elevation of Privilege Vulnerability
Improper authorization in Microsoft Partner Center allows an unauthorized attacker to elevate privileges over a network.