CVE-2025-46827: Graylog Allows Session Takeover via Insufficient HTML Sanitization

May 7, 2025

It is possible to obtain user session cookies by submitting an HTML form as part of an Event Definition Remediation Step field. For this attack to succeed, the attacker needs a user account with permissions to create event definitions, while the user must have permissions to view alerts. Additionally, an active Input must be present on the Graylog server that is capable of receiving form data (e.g. a HTTP input, TCP raw or syslog etc).

References

github.com/Graylog2/graylog2-server
github.com/Graylog2/graylog2-server/security/advisories/GHSA-76vf-mpmx-777j
github.com/advisories/GHSA-76vf-mpmx-777j
nvd.nist.gov/vuln/detail/CVE-2025-46827

Code Behaviors & Features

Detect and mitigate CVE-2025-46827 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →