CVE-2018-3823: X-Pack Machine Learning versions before 6.2.4 and 5.6.9 had a cross-site scripting (XSS) vulnerability. Users with manag
Summary
X-Pack Machine Learning (a tool for building predictive models in Elastic) versions before 6.2.4 and 5.6.9 contained a cross-site scripting vulnerability (XSS, where attackers inject malicious code that runs in users' browsers). Users with manage_ml permissions could hide malicious data in job configurations that would execute when other users viewed the results, allowing attackers to steal sensitive information or perform harmful actions on behalf of those users.
Solution / Mitigation
Update X-Pack Machine Learning to version 6.2.4 or 5.6.9 or later. The source references a security update at https://discuss.elastic.co/t/elastic-stack-6-2-4-and-5-6-9-security-update/128422.
Vulnerability Details
5.4(medium)
EPSS: 0.2%
Classification
Affected Vendors
Related Issues
CVE-2022-21727: Tensorflow is an Open Source Machine Learning Framework. The implementation of shape inference for `Dequantize` is vulne
CVE-2026-22252: LibreChat is a ChatGPT clone with additional features. Prior to v0.8.2-rc2, LibreChat's MCP stdio transport accepts arbi
Original source: https://nvd.nist.gov/vuln/detail/CVE-2018-3823
First tracked: February 15, 2026 at 08:53 PM
Classified by LLM (prompt v3) · confidence: 72%