{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-49091","assignerOrgId":"271b6943-45a9-4f3a-ab4e-976f3fa05b5a","state":"PUBLISHED","assignerShortName":"elastic","dateReserved":"2026-05-27T11:31:33.582Z","datePublished":"2026-07-01T17:21:28.544Z","dateUpdated":"2026-07-02T03:57:31.736Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Kibana","vendor":"Elastic","versions":[{"lessThanOrEqual":"8.11.0","status":"affected","version":"8.0.0","versionType":"semver"},{"lessThanOrEqual":"7.17.14","status":"affected","version":"7.0.0","versionType":"semver"}]}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<p>Improper Output Neutralization for Logs (CWE-117) in Kibana can lead to log injection via Log Injection-Tampering-Forging (CAPEC-93). An attacker can supply specially crafted input that is written to log files without proper neutralization. When the log files are subsequently viewed in a terminal that interprets control sequences, the injected content may alter the displayed log data.</p>"}],"value":"Improper Output Neutralization for Logs (CWE-117) in Kibana can lead to log injection via Log Injection-Tampering-Forging (CAPEC-93). An attacker can supply specially crafted input that is written to log files without proper neutralization. When the log files are subsequently viewed in a terminal that interprets control sequences, the injected content may alter the displayed log data."}],"impacts":[{"capecId":"CAPEC-93","descriptions":[{"lang":"en","value":"CAPEC-93 Log Injection-Tampering-Forging"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseSeverity":"HIGH","baseScore":8,"confidentialityImpact":"HIGH","integrityImpact":"HIGH","scope":"CHANGED","userInteraction":"REQUIRED","privilegesRequired":"LOW","vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-116","description":"CWE-116 Improper Encoding or Escaping of Output","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"271b6943-45a9-4f3a-ab4e-976f3fa05b5a","shortName":"elastic","dateUpdated":"2026-07-01T17:21:28.544Z"},"references":[{"url":"https://discuss.elastic.co/t/kibana-7-17-15-8-11-1-security-update-esa-2026-53"}],"source":{"discovery":"Elastic"},"title":"Improper Output Neutralization for Logs in Kibana Leading to Log Injection","x_generator":{"engine":"Elastic CVE Publisher 0.0.1"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-07-01T00:00:00+00:00","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3","id":"CVE-2026-49091"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-07-02T03:57:31.736Z"}}]}}