{"url":"http://public2.vulnerablecode.io/api/packages/531397?format=json","purl":"pkg:maven/org.graylog2/graylog2-server@3.3.5","type":"maven","namespace":"org.graylog2","name":"graylog2-server","version":"3.3.5","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"6.2.4","latest_non_vulnerable_version":"6.2.4","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/45567?format=json","vulnerability_id":"VCID-27xf-skwu-h7cc","summary":"Duplicate\nThis advisory duplicates another.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-41045","reference_id":"","reference_type":"","scores":[{"value":"0.00168","scoring_system":"epss","scoring_elements":"0.37666","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00168","scoring_system":"epss","scoring_elements":"0.37639","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00168","scoring_system":"epss","scoring_elements":"0.37627","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00168","scoring_system":"epss","scoring_elements":"0.37697","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00168","scoring_system":"epss","scoring_elements":"0.37694","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-41045"},{"reference_url":"https://github.com/Graylog2/graylog2-server","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Graylog2/graylog2-server"},{"reference_url":"https://github.com/Graylog2/graylog2-server/commit/466af814523cffae9fbc7e77bab7472988f03c3e","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-01T16:55:58Z/"}],"url":"https://github.com/Graylog2/graylog2-server/commit/466af814523cffae9fbc7e77bab7472988f03c3e"},{"reference_url":"https://github.com/Graylog2/graylog2-server/commit/a101f4f12180fd3dfa7d3345188a099877a3c327","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-01T16:55:58Z/"}],"url":"https://github.com/Graylog2/graylog2-server/commit/a101f4f12180fd3dfa7d3345188a099877a3c327"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-41045","reference_id":"CVE-2023-41045","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-41045"},{"reference_url":"https://github.com/advisories/GHSA-g96c-x7rh-99r3","reference_id":"GHSA-g96c-x7rh-99r3","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-g96c-x7rh-99r3"},{"reference_url":"https://github.com/Graylog2/graylog2-server/security/advisories/GHSA-g96c-x7rh-99r3","reference_id":"GHSA-g96c-x7rh-99r3","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-01T16:55:58Z/"}],"url":"https://github.com/Graylog2/graylog2-server/security/advisories/GHSA-g96c-x7rh-99r3"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/66752?format=json","purl":"pkg:maven/org.graylog2/graylog2-server@5.0.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-46kd-qqtj-3bh7"},{"vulnerability":"VCID-nhem-t4be-5fae"},{"vulnerability":"VCID-prpc-a12t-b7dt"},{"vulnerability":"VCID-zhcq-k5ej-a3hb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.graylog2/graylog2-server@5.0.9"},{"url":"http://public2.vulnerablecode.io/api/packages/66753?format=json","purl":"pkg:maven/org.graylog2/graylog2-server@5.1.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-46kd-qqtj-3bh7"},{"vulnerability":"VCID-nhem-t4be-5fae"},{"vulnerability":"VCID-prpc-a12t-b7dt"},{"vulnerability":"VCID-zhcq-k5ej-a3hb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.graylog2/graylog2-server@5.1.3"}],"aliases":["CVE-2023-41045","GHSA-g96c-x7rh-99r3","GMS-2023-1862"],"risk_score":1.6,"exploitability":"0.5","weighted_severity":"3.3","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-27xf-skwu-h7cc"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/57266?format=json","vulnerability_id":"VCID-46kd-qqtj-3bh7","summary":"Graylog Allows Stored Cross-Site Scripting via Files Plugin and API Browser\nTwo minor vulnerabilities were identified in the Graylog2 enterprise server, which can be combined to carry out a stored cross-site scripting attack.\nAn attacker with the permission `FILES_CREATE` can exploit these vulnerabilities to upload arbitrary Javascript code to the Graylog2 server, which - upon requesting of the file by a user of the API browser - results in the execution of this Javascript code in the context of the Graylog frontend application.\nThis enables the attacker to carry out authenticated API requests with the permissions of the logged-in user, thereby taking over the user session.","references":[{"reference_url":"https://github.com/Graylog2/graylog2-server","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Graylog2/graylog2-server"},{"reference_url":"https://github.com/advisories/GHSA-q9q2-3ppx-mwqf","reference_id":"GHSA-q9q2-3ppx-mwqf","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-q9q2-3ppx-mwqf"},{"reference_url":"https://github.com/Graylog2/graylog2-server/security/advisories/GHSA-q9q2-3ppx-mwqf","reference_id":"GHSA-q9q2-3ppx-mwqf","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Graylog2/graylog2-server/security/advisories/GHSA-q9q2-3ppx-mwqf"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/85059?format=json","purl":"pkg:maven/org.graylog2/graylog2-server@6.2.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7f1u-r39p-aufc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.graylog2/graylog2-server@6.2.0"}],"aliases":["GHSA-q9q2-3ppx-mwqf"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-46kd-qqtj-3bh7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41266?format=json","vulnerability_id":"VCID-716r-xzrh-uydk","summary":"Inclusion of Sensitive Information in Log Files\nA Session ID leak in the DEBUG log file in Graylog allows attackers to escalate privileges (to the access level of the leaked session ID).","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-37759","reference_id":"","reference_type":"","scores":[{"value":"0.00504","scoring_system":"epss","scoring_elements":"0.66499","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00504","scoring_system":"epss","scoring_elements":"0.66539","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00504","scoring_system":"epss","scoring_elements":"0.66547","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00504","scoring_system":"epss","scoring_elements":"0.66532","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00504","scoring_system":"epss","scoring_elements":"0.66518","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00504","scoring_system":"epss","scoring_elements":"0.66535","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-37759"},{"reference_url":"https://www.graylog.org/post/announcing-graylog-v4-1-2","reference_id":"","reference_type":"","scores":[],"url":"https://www.graylog.org/post/announcing-graylog-v4-1-2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-37759","reference_id":"CVE-2021-37759","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-37759"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/58571?format=json","purl":"pkg:maven/org.graylog2/graylog2-server@4.1.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-27xf-skwu-h7cc"},{"vulnerability":"VCID-46kd-qqtj-3bh7"},{"vulnerability":"VCID-my9e-b6w5-q3c1"},{"vulnerability":"VCID-prpc-a12t-b7dt"},{"vulnerability":"VCID-zhcq-k5ej-a3hb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.graylog2/graylog2-server@4.1.2"}],"aliases":["CVE-2021-37759"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-716r-xzrh-uydk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41267?format=json","vulnerability_id":"VCID-dybb-h34a-ybfa","summary":"Inclusion of Sensitive Information in Log Files\nA Session ID leak in the audit log in Graylog allows attackers to escalate privileges (to the access level of the leaked session ID).","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-37760","reference_id":"","reference_type":"","scores":[{"value":"0.00504","scoring_system":"epss","scoring_elements":"0.66499","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00504","scoring_system":"epss","scoring_elements":"0.66539","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00504","scoring_system":"epss","scoring_elements":"0.66547","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00504","scoring_system":"epss","scoring_elements":"0.66532","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00504","scoring_system":"epss","scoring_elements":"0.66518","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00504","scoring_system":"epss","scoring_elements":"0.66535","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-37760"},{"reference_url":"https://www.graylog.org/post/announcing-graylog-v4-1-2","reference_id":"","reference_type":"","scores":[],"url":"https://www.graylog.org/post/announcing-graylog-v4-1-2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-37760","reference_id":"CVE-2021-37760","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-37760"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/58571?format=json","purl":"pkg:maven/org.graylog2/graylog2-server@4.1.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-27xf-skwu-h7cc"},{"vulnerability":"VCID-46kd-qqtj-3bh7"},{"vulnerability":"VCID-my9e-b6w5-q3c1"},{"vulnerability":"VCID-prpc-a12t-b7dt"},{"vulnerability":"VCID-zhcq-k5ej-a3hb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.graylog2/graylog2-server@4.1.2"}],"aliases":["CVE-2021-37760"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dybb-h34a-ybfa"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/45565?format=json","vulnerability_id":"VCID-my9e-b6w5-q3c1","summary":"Duplicate\nThis advisory duplicates another.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-41041","reference_id":"","reference_type":"","scores":[{"value":"0.00213","scoring_system":"epss","scoring_elements":"0.43953","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00213","scoring_system":"epss","scoring_elements":"0.43912","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00213","scoring_system":"epss","scoring_elements":"0.43902","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00213","scoring_system":"epss","scoring_elements":"0.43937","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00213","scoring_system":"epss","scoring_elements":"0.43962","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-41041"},{"reference_url":"https://github.com/Graylog2/graylog2-server","reference_id":"","reference_type":"","scores":[{"value":"2.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Graylog2/graylog2-server"},{"reference_url":"https://github.com/Graylog2/graylog2-server/commit/bb88f3d0b2b0351669ab32c60b595ab7242a3fe3","reference_id":"","reference_type":"","scores":[{"value":"2.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-01T18:11:56Z/"}],"url":"https://github.com/Graylog2/graylog2-server/commit/bb88f3d0b2b0351669ab32c60b595ab7242a3fe3"},{"reference_url":"https://github.com/Graylog2/graylog2-server/commit/ff90f3e2aa4ae2e0bb613d3236e52c40aa154b20","reference_id":"","reference_type":"","scores":[{"value":"2.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Graylog2/graylog2-server/commit/ff90f3e2aa4ae2e0bb613d3236e52c40aa154b20"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-41041","reference_id":"CVE-2023-41041","reference_type":"","scores":[{"value":"2.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-41041"},{"reference_url":"https://github.com/advisories/GHSA-3fqm-frhg-7c85","reference_id":"GHSA-3fqm-frhg-7c85","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3fqm-frhg-7c85"},{"reference_url":"https://github.com/Graylog2/graylog2-server/security/advisories/GHSA-3fqm-frhg-7c85","reference_id":"GHSA-3fqm-frhg-7c85","reference_type":"","scores":[{"value":"2.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-01T18:11:56Z/"}],"url":"https://github.com/Graylog2/graylog2-server/security/advisories/GHSA-3fqm-frhg-7c85"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/66752?format=json","purl":"pkg:maven/org.graylog2/graylog2-server@5.0.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-46kd-qqtj-3bh7"},{"vulnerability":"VCID-nhem-t4be-5fae"},{"vulnerability":"VCID-prpc-a12t-b7dt"},{"vulnerability":"VCID-zhcq-k5ej-a3hb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.graylog2/graylog2-server@5.0.9"},{"url":"http://public2.vulnerablecode.io/api/packages/66753?format=json","purl":"pkg:maven/org.graylog2/graylog2-server@5.1.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-46kd-qqtj-3bh7"},{"vulnerability":"VCID-nhem-t4be-5fae"},{"vulnerability":"VCID-prpc-a12t-b7dt"},{"vulnerability":"VCID-zhcq-k5ej-a3hb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.graylog2/graylog2-server@5.1.3"}],"aliases":["CVE-2023-41041","GHSA-3fqm-frhg-7c85","GMS-2023-1861"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-my9e-b6w5-q3c1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/46969?format=json","vulnerability_id":"VCID-prpc-a12t-b7dt","summary":"Incorrect Authorization\nGraylog is a free and open log management platform. Starting in version 2.0.0 and prior to versions 5.1.11 and 5.2.4, arbitrary classes can be loaded and instantiated using a HTTP PUT request to the `/api/system/cluster_config/` endpoint. Graylog's cluster config system uses fully qualified class names as config keys. To validate the existence of the requested class before using them, Graylog loads the class using the class loader. If a user with the appropriate permissions performs the request, arbitrary classes with 1-arg String constructors can be instantiated. This will execute arbitrary code that is run during class instantiation. In the specific use case of `java.io.File`, the behavior of the internal web-server stack will lead to information exposure by including the entire file content in the response to the REST request. Versions 5.1.11 and 5.2.4 contain a fix for this issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-24824","reference_id":"","reference_type":"","scores":[{"value":"0.03888","scoring_system":"epss","scoring_elements":"0.885","published_at":"2026-06-09T12:55:00Z"},{"value":"0.03888","scoring_system":"epss","scoring_elements":"0.88483","published_at":"2026-06-08T12:55:00Z"},{"value":"0.03888","scoring_system":"epss","scoring_elements":"0.88484","published_at":"2026-06-06T12:55:00Z"},{"value":"0.03888","scoring_system":"epss","scoring_elements":"0.88482","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-24824"},{"reference_url":"https://github.com/Graylog2/graylog2-server","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Graylog2/graylog2-server"},{"reference_url":"https://github.com/Graylog2/graylog2-server/blob/e458db8bf4f789d4d19f1b37f0263f910c8d036c/graylog2-server/src/main/java/org/graylog2/rest/resources/system/ClusterConfigResource.java#L208-L214","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-07T20:11:04Z/"}],"url":"https://github.com/Graylog2/graylog2-server/blob/e458db8bf4f789d4d19f1b37f0263f910c8d036c/graylog2-server/src/main/java/org/graylog2/rest/resources/system/ClusterConfigResource.java#L208-L214"},{"reference_url":"https://github.com/Graylog2/graylog2-server/commit/75ef2b8d60e7d67f859b79fe712c8ae7b2e861d8","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-07T20:11:04Z/"}],"url":"https://github.com/Graylog2/graylog2-server/commit/75ef2b8d60e7d67f859b79fe712c8ae7b2e861d8"},{"reference_url":"https://github.com/Graylog2/graylog2-server/commit/7f8ef7fa8edf493106d5ef6f777d4da02c5194d9","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-07T20:11:04Z/"}],"url":"https://github.com/Graylog2/graylog2-server/commit/7f8ef7fa8edf493106d5ef6f777d4da02c5194d9"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-24824","reference_id":"CVE-2024-24824","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-24824"},{"reference_url":"https://github.com/advisories/GHSA-p6gg-5hf4-4rgj","reference_id":"GHSA-p6gg-5hf4-4rgj","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-p6gg-5hf4-4rgj"},{"reference_url":"https://github.com/Graylog2/graylog2-server/security/advisories/GHSA-p6gg-5hf4-4rgj","reference_id":"GHSA-p6gg-5hf4-4rgj","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-07T20:11:04Z/"}],"url":"https://github.com/Graylog2/graylog2-server/security/advisories/GHSA-p6gg-5hf4-4rgj"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/68814?format=json","purl":"pkg:maven/org.graylog2/graylog2-server@5.1.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-46kd-qqtj-3bh7"},{"vulnerability":"VCID-zhcq-k5ej-a3hb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.graylog2/graylog2-server@5.1.11"},{"url":"http://public2.vulnerablecode.io/api/packages/68815?format=json","purl":"pkg:maven/org.graylog2/graylog2-server@5.2.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-46kd-qqtj-3bh7"},{"vulnerability":"VCID-zhcq-k5ej-a3hb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.graylog2/graylog2-server@5.2.4"}],"aliases":["CVE-2024-24824","GHSA-p6gg-5hf4-4rgj"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-prpc-a12t-b7dt"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/57267?format=json","vulnerability_id":"VCID-zhcq-k5ej-a3hb","summary":"Graylog Allows Session Takeover via Insufficient HTML Sanitization\nIt is possible to obtain user session cookies by submitting an HTML form as part of an Event Definition Remediation Step field.\nFor this attack to succeed, the attacker needs a user account with permissions to create event definitions, while the user must have permissions to view alerts. Additionally, an active Input must be present on the Graylog server that is capable of receiving form data (e.g. a HTTP input, TCP raw or syslog etc).","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-46827","reference_id":"","reference_type":"","scores":[{"value":"0.0014","scoring_system":"epss","scoring_elements":"0.33794","published_at":"2026-06-08T12:55:00Z"},{"value":"0.0014","scoring_system":"epss","scoring_elements":"0.33819","published_at":"2026-06-09T12:55:00Z"},{"value":"0.0014","scoring_system":"epss","scoring_elements":"0.33828","published_at":"2026-06-07T12:55:00Z"},{"value":"0.0014","scoring_system":"epss","scoring_elements":"0.33863","published_at":"2026-06-06T12:55:00Z"},{"value":"0.0014","scoring_system":"epss","scoring_elements":"0.33847","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-46827"},{"reference_url":"https://github.com/Graylog2/graylog2-server","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Graylog2/graylog2-server"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-46827","reference_id":"CVE-2025-46827","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-46827"},{"reference_url":"https://github.com/advisories/GHSA-76vf-mpmx-777j","reference_id":"GHSA-76vf-mpmx-777j","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-76vf-mpmx-777j"},{"reference_url":"https://github.com/Graylog2/graylog2-server/security/advisories/GHSA-76vf-mpmx-777j","reference_id":"GHSA-76vf-mpmx-777j","reference_type":"","scores":[{"value":"8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-05-07T15:50:00Z/"}],"url":"https://github.com/Graylog2/graylog2-server/security/advisories/GHSA-76vf-mpmx-777j"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/85062?format=json","purl":"pkg:maven/org.graylog2/graylog2-server@6.0.14","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-46kd-qqtj-3bh7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.graylog2/graylog2-server@6.0.14"},{"url":"http://public2.vulnerablecode.io/api/packages/85063?format=json","purl":"pkg:maven/org.graylog2/graylog2-server@6.1.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-46kd-qqtj-3bh7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.graylog2/graylog2-server@6.1.10"}],"aliases":["CVE-2025-46827","GHSA-76vf-mpmx-777j"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zhcq-k5ej-a3hb"}],"fixing_vulnerabilities":[],"risk_score":"4.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.graylog2/graylog2-server@3.3.5"}