The floragunn Search Guard plugin prior to 6.x-16 for Kibana allows URL injection for login redirects on the login page when basePath is set.
search-guard search guard