{"url":"http://public2.vulnerablecode.io/api/packages/378945?format=json","purl":"pkg:maven/org.graylog2/graylog2-server@6.1.10","type":"maven","namespace":"org.graylog2","name":"graylog2-server","version":"6.1.10","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"6.2.4","latest_non_vulnerable_version":"6.2.4","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/360806?format=json","vulnerability_id":"VCID-1ce2-9qbs-f3gj","summary":"Graylog Allows Stored Cross-Site Scripting via Files Plugin and API Browser\n### Impact\nTwo minor vulnerabilities were identified in the Graylog2 enterprise server, which can be combined to carry out a stored cross-site scripting attack.\nAn attacker with the permission `FILES_CREATE` can exploit these vulnerabilities to upload arbitrary Javascript code to the Graylog2 server, which - upon requesting of the file by a user of the API browser - results in the execution of this Javascript code in the context of the Graylog frontend application. \nThis enables the attacker to carry out authenticated API requests with the permissions of the logged-in user, thereby taking over the user session.\n\n### Patches\nThe generic API has been removed in 6.2.0 rendering the attack vector unreachable and additional escaping has been added.\n\nAnalysis provided by Fabian Yamaguchi - Whirly Labs (Pty) Ltd","references":[{"reference_url":"https://github.com/Graylog2/graylog2-server","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Graylog2/graylog2-server"},{"reference_url":"https://github.com/Graylog2/graylog2-server/security/advisories/GHSA-q9q2-3ppx-mwqf","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Graylog2/graylog2-server/security/advisories/GHSA-q9q2-3ppx-mwqf"},{"reference_url":"https://github.com/advisories/GHSA-q9q2-3ppx-mwqf","reference_id":"GHSA-q9q2-3ppx-mwqf","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-q9q2-3ppx-mwqf"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/378873?format=json","purl":"pkg:maven/org.graylog2/graylog2-server@6.2.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-nkae-v386-quh1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.graylog2/graylog2-server@6.2.0"}],"aliases":["GHSA-q9q2-3ppx-mwqf"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1ce2-9qbs-f3gj"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/97511?format=json","vulnerability_id":"VCID-atsa-zxpc-mkhx","summary":"Graylog is a free and open log management platform. Prior to versions 6.0.14, 6.1.10, and 6.2.0, it is possible to obtain user session cookies by submitting an HTML form as part of an Event Definition Remediation Step field. For this attack to succeed, the attacker needs a user account with permissions to create event definitions, while the user must have permissions to view alerts. Additionally, an active Input must be present on the Graylog server that is capable of receiving form data (e.g. a HTTP input, TCP raw or syslog etc). Versions 6.0.14, 6.1.10, and 6.2.0 fix the issue. No known workarounds are available, as long as the relatively rare prerequisites are met.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-46827","reference_id":"","reference_type":"","scores":[{"value":"0.0014","scoring_system":"epss","scoring_elements":"0.33857","published_at":"2026-06-11T12:55:00Z"},{"value":"0.0014","scoring_system":"epss","scoring_elements":"0.34056","published_at":"2026-06-13T12:55:00Z"},{"value":"0.0014","scoring_system":"epss","scoring_elements":"0.34034","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-46827"},{"reference_url":"https://github.com/Graylog2/graylog2-server","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Graylog2/graylog2-server"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-46827","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-46827"},{"reference_url":"https://github.com/advisories/GHSA-76vf-mpmx-777j","reference_id":"GHSA-76vf-mpmx-777j","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-76vf-mpmx-777j"},{"reference_url":"https://github.com/Graylog2/graylog2-server/security/advisories/GHSA-76vf-mpmx-777j","reference_id":"GHSA-76vf-mpmx-777j","reference_type":"","scores":[{"value":"8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-05-07T15:50:00Z/"}],"url":"https://github.com/Graylog2/graylog2-server/security/advisories/GHSA-76vf-mpmx-777j"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/378944?format=json","purl":"pkg:maven/org.graylog2/graylog2-server@6.0.14","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1ce2-9qbs-f3gj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.graylog2/graylog2-server@6.0.14"},{"url":"http://public2.vulnerablecode.io/api/packages/378945?format=json","purl":"pkg:maven/org.graylog2/graylog2-server@6.1.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1ce2-9qbs-f3gj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.graylog2/graylog2-server@6.1.10"}],"aliases":["CVE-2025-46827","GHSA-76vf-mpmx-777j"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-atsa-zxpc-mkhx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89737?format=json","vulnerability_id":"VCID-q7wf-bv57-hkg4","summary":"Graylog is a free and open log management platform. Starting with 6.1, HTTP Inputs can be configured to check if a specified header is present and has a specified value to authenticate HTTP-based ingestion. Unfortunately, even though in cases of a missing header or a wrong value the correct HTTP response (401) is returned, the message will be ingested nonetheless. To mitigate the vulnerability, disable http-based inputs and allow only authenticated pull-based inputs. This vulnerability is fixed in 6.1.9.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-30373","reference_id":"","reference_type":"","scores":[{"value":"0.0003","scoring_system":"epss","scoring_elements":"0.09195","published_at":"2026-06-11T12:55:00Z"},{"value":"0.0003","scoring_system":"epss","scoring_elements":"0.0925","published_at":"2026-06-12T12:55:00Z"},{"value":"0.0003","scoring_system":"epss","scoring_elements":"0.09251","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-30373"},{"reference_url":"https://github.com/Graylog2/graylog2-server","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Graylog2/graylog2-server"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-30373","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-30373"},{"reference_url":"https://github.com/Graylog2/graylog2-server/commit/31bc13d3cd6f550ec83473d0f8666cd3ebf50f10","reference_id":"31bc13d3cd6f550ec83473d0f8666cd3ebf50f10","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-08T19:02:33Z/"}],"url":"https://github.com/Graylog2/graylog2-server/commit/31bc13d3cd6f550ec83473d0f8666cd3ebf50f10"},{"reference_url":"https://github.com/advisories/GHSA-q7g5-jq6p-6wvx","reference_id":"GHSA-q7g5-jq6p-6wvx","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-q7g5-jq6p-6wvx"},{"reference_url":"https://github.com/Graylog2/graylog2-server/security/advisories/GHSA-q7g5-jq6p-6wvx","reference_id":"GHSA-q7g5-jq6p-6wvx","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-08T19:02:33Z/"}],"url":"https://github.com/Graylog2/graylog2-server/security/advisories/GHSA-q7g5-jq6p-6wvx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/376300?format=json","purl":"pkg:maven/org.graylog2/graylog2-server@6.1.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-atsa-zxpc-mkhx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.graylog2/graylog2-server@6.1.9"},{"url":"http://public2.vulnerablecode.io/api/packages/378945?format=json","purl":"pkg:maven/org.graylog2/graylog2-server@6.1.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1ce2-9qbs-f3gj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.graylog2/graylog2-server@6.1.10"}],"aliases":["CVE-2025-30373","GHSA-q7g5-jq6p-6wvx"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-q7wf-bv57-hkg4"}],"risk_score":"4.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.graylog2/graylog2-server@6.1.10"}