An arbitrary code execution flaw was found in the Timelion visualizer in Kibana versions before 5.6.15 and 6.6.1. This flaw allows an attacker with access to the Timelion application to send a request that attempts to execute javascript code. This could lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.