Graylog
CVE-2025-46827
HIGH
Severity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Blast Radius
ecosystem impact- 5 maven packages depend on org.graylog2:graylog2-server (5 direct, 0 indirect)
Ecosystem-wide dependent count for version 6.1.0.
DescriptionGitHub Advisory
Graylog is a free and open log management platform. Prior to versions 6.0.14, 6.1.10, and 6.2.0, it is possible to obtain user session cookies by submitting an HTML form as part of an Event Definition Remediation Step field. For this attack to succeed, the attacker needs a user account with permissions to create event definitions, while the user must have permissions to view alerts. Additionally, an active Input must be present on the Graylog server that is capable of receiving form data (e.g. a HTTP input, TCP raw or syslog etc). Versions 6.0.14, 6.1.10, and 6.2.0 fix the issue. No known workarounds are available, as long as the relatively rare prerequisites are met.
AnalysisAI
Graylog is a free and open log management platform. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. Graylog is a free and open log management platform. Prior to versions 6.0.14, 6.1.10, and 6.2.0, it is possible to obtain user session cookies by submitting an HTML form as part of an Event Definition Remediation Step field. For this attack to succeed, the attacker needs a user account with permissions to create event definitions, while the user must have permissions to view alerts. Additionally, an active Input must be present on the Graylog server that is capable of receiving form data (e.g. a HTTP input, TCP raw or syslog etc). Versions 6.0.14, 6.1.10, and 6.2.0 fix the issue. No known workarounds are available, as long as the relatively rare prerequisites are met. Affected products include: Graylog.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.
Improper session invalidation in Graylog Web Interface 2.2.3 allows attackers to maintain access through expired session
Graylog is a free and open log management platform. In versions 6.2.0 to before 6.2.4 and 6.3.0-alpha.1 to before 6.3.0-
Graylog is a free and open log management platform. Rated medium severity (CVSS 6.5), this vulnerability is remotely exp
Graylog 2.2.3 contains an insecure direct object reference (IDOR) vulnerability in its user API endpoint that allows aut
Reflected XSS in Graylog 2.2.3's web interface allows remote attackers to execute arbitrary JavaScript in a victim's bro
Graylog Web Interface 2.2.3 contains a reflected XSS vulnerability in the /system/index_sets/ endpoint where unsanitized
Reflected XSS in Graylog Web Interface version 2.2.3 fails to properly sanitize user-supplied input in the /system/pipel
Graylog Web Interface 2.2.3 contains a reflected XSS vulnerability in the /alerts/ endpoint where unencoded URL paramete
Graylog Web Interface 2.2.3 contains a reflected XSS vulnerability in the /system/nodes/ endpoint where unescaped URL pa
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today