Medium
CVE-2026-43826
The OpenSearch logging provider, when configured with a `host` URL that embeds credentials (for example `https://user:[email protected]:9200`), wrote the full host URL — including the embed…
Tag: OpenSearch
All CVEs associated with "OpenSearch". Page 1/1 • 29 CVEs.
About “OpenSearch”
A curated feed of “OpenSearch”-related CVEs appears below. We currently track 29 CVEs for this tag (all time). In the last 365 days, 5 were published. Average CVSS is 6.2 (all time; 6.7 over 365d), and 31% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-532 - Insertion of Sensitive Information into Log File, CWE-94 - Improper Control of Generation of Code ('Code Injection'), CWE-674 - Uncontrolled Recursion.
In our taxonomy this topic maps to a MODERATE impact class. Databases, proxies, and web servers often need coordinated restarts and config checks. Patch only modules you deploy, verify TLS and authentication, and tune limits. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.
Support & lifecycle: opensearch
This table shows recent release cycles and their projected end-of-life. Data source: endoflife.date.
| Cycle | Release | Latest | Premier Support | EOL | LTS |
|---|---|---|---|---|---|
| 3 | 3.6.0 | Unavailable | - | ||
| 2 | 2.19.5 | - | |||
| 1 | 1.3.20 | Expired |
Maintained Soon (≤ 180 days) Expired
Subscribe lifecycle: RSS (expired) · ICS
Subscribe CVEs: RSS for “OpenSearch” · RSS (High+Critical only)
CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).
CVSS ≥ 0.0
2026-05-11
2026-04-27
High
CVE-2026-7191
Improper use of the static-eval npm package in the open source solution qnabot-on-aws versions 7.2.4 and earlier may allow an authenticated administrator to execute arbitrary code within the fulfillm…
2025-11-25
High
CVE-2025-9624
A vulnerability in OpenSearch allows attackers to cause Denial of Service (DoS) by submitting complex query_string inputs. This issue affects all OpenSearch versions between 3.0.0 and < 3.3.0 and…
2025-10-21
Medium
CVE-2025-53059
Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: OpenSearch Dashboards). Supported versions that are affected are 8.60, 8.61 and 8.62. Easily exploita…
2025-10-15
High
CVE-2025-62371
OpenSearch Data Prepper as an open source data collector for observability data. In versions prior to 2.12.2, the OpenSearch sink and source plugins in Data Prepper trust all SSL certificates by defa…
2025-02-12
Medium
CVE-2024-54160
dashboards-reporting (aka Dashboards Reports) before 2.19.0.0, as shipped in OpenSearch before 2.19, allows XSS because Markdown is not sanitized when previewing a header or footer.
2025-01-31
High
CVE-2025-23671
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sav WP OpenSearch wp-opensearch allows Stored XSS.This issue affects WP OpenSearch: from n/a thro…
2025-01-21
High
CVE-2025-21545
Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: OpenSearch). Supported versions that are affected are 8.60 and 8.61. Easily exploitable vulnerability…
2024-12-12
Medium
CVE-2024-55886
OpenSearch Data Prepper is a component of the OpenSearch project that accepts, filters, transforms, enriches, and routes data at scale. A vulnerability exists in the OpenTelemetry Logs source in Data…
2024-08-23
Medium
CVE-2024-43794
OpenSearch Dashboards Security Plugin adds a configuration management UI for the OpenSearch Security features to OpenSearch Dashboards. Improper validation of the nextUrl parameter can lead to extern…
2024-07-16
Medium
CVE-2024-21180
Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: OpenSearch Dashboards). Supported versions that are affected are 8.59, 8.60 and 8.61. Easily exploita…
2024-07-09
Medium
CVE-2024-39901
OpenSearch Observability is collection of plugins and applications that visualize data-driven events. An issue in the OpenSearch observability plugins allows unintended access to private tenant resou…
Medium
CVE-2024-39900
OpenSearch Dashboards Reports allows ‘Report Owner’ export and share reports from OpenSearch Dashboards. An issue in the OpenSearch reporting plugin allows unintended access to private tenant resourc…
2023-10-16
Medium
CVE-2023-45807
OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana following the license change in early 2021. There is an issue with the implementation of tenant permissions in OpenSearc…
2023-07-17
Medium
CVE-2023-28864
Progress Chef Infra Server before 15.7 allows a local attacker to exploit a /var/opt/opscode/local-mode-cache/backup world-readable temporary backup path to access sensitive information, resulting in…
2023-05-08
Medium
CVE-2023-31141
OpenSearch is open-source software suite for search, analytics, and observability applications. Prior to versions 1.3.10 and 2.7.0, there is an issue with the implementation of fine-grained access co…
2023-03-02
Medium
CVE-2023-25806
OpenSearch Security is a plugin for OpenSearch that offers encryption, authentication and authorization. There is an observable discrepancy in the authentication response time between calls where the…
2023-02-03
Medium
CVE-2023-23933
OpenSearch Anomaly Detection identifies atypical data and receives automatic notifications. There is an issue with the application of document and field level restrictions in the Anomaly Detection pl…
2023-01-26
Medium
CVE-2023-23613
OpenSearch is an open source distributed and RESTful search engine. In affected versions there is an issue in the implementation of field-level security (FLS) and field masking where rules written to…
Medium
CVE-2023-23612
OpenSearch is an open source distributed and RESTful search engine. OpenSearch uses JWTs to store role claims obtained from the Identity Provider (IdP) when the authentication backend is SAML or Open…
2022-11-16
Medium
CVE-2022-41917
OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana. OpenSearch allows users to specify a local file when defining text analyzers to process data for text analysis. An issu…
2022-11-15
Medium
CVE-2022-41918
OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana. There is an issue with the implementation of fine-grained access control rules (document-level security, field-level se…
2022-11-11
High
CVE-2022-41906
OpenSearch Notifications is a notifications plugin for OpenSearch that enables other plugins to send notifications via Email, Slack, Amazon Chime, Custom web-hook etc channels. A potential SSRF issue…
2022-08-12
High
CVE-2022-35980
OpenSearch Security is a plugin for OpenSearch that offers encryption, authentication and authorization. Versions 2.0.0.0 and 2.1.0.0 of the security plugin are affected by an information disclosure…
2022-06-30
High
CVE-2022-31115
opensearch-ruby is a community-driven, open source fork of elasticsearch-ruby. In versions prior to 2.0.1 the ruby `YAML.load` function was used instead of `YAML.safe_load`. As a result opensearch-ru…
2021-12-12
Critical
CVE-2021-44833
The CLI 1.0.0 for Amazon AWS OpenSearch has weak permissions for the configuration file.
2020-06-08
Medium
CVE-2020-8954
OpenSearch Web browser 1.0.4.9 allows Intent Scheme Hijacking.[a link that opens another app in the browser can be manipulated]
2019-05-24
Medium
CVE-2016-10245
Insufficient sanitization of the query parameter in templates/html/search_opensearch.php could lead to reflected cross-site scripting or iframe injection.
2015-04-19
Medium
CVE-2015-1247
The SearchEngineTabHelper::OnPageHasOSDD function in browser/ui/search_engines/search_engine_tab_helper.cc in Google Chrome before 42.0.2311.90 does not prevent use of a file: URL for an OpenSearch d…