Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2026-1438— Reflected Cross-Site Scripting (XSS) vulnerability in Graylog Web Interface

EPSS 0.05% · P15
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-1438

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Reflected Cross-Site Scripting (XSS) vulnerability in Graylog Web Interface
Source: NVD (National Vulnerability Database)
Vulnerability Description
Reflected Cross-Site Scripting (XSS) vulnerability in the Graylog Web Interface console, version 2.2.3, caused by a lack of proper sanitization and escaping in HTML output. Several endpoints include segments of the URL directly in the response without applying output encoding, allowing an attacker to inject and execute arbitrary JavaScript code when a user visits a specially crafted URL. Exploitation of this vulnerability may allow script execution in the victim's browser and limited manipulation of the affected user's session context, through the  '/system/nodes/' endpoint.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Graylog Web Interface 跨站脚本漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Graylog Web Interface是美国Graylog公司的一套Web界面。 Graylog Web Interface 2.2.3版本存在跨站脚本漏洞,该漏洞源于HTML输出缺少适当的清理和转义,可能导致通过端点/system/nodes/注入和执行任意JavaScript代码。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
GraylogGraylog Web Interface 2.2.3 -

II. Public POCs for CVE-2026-1438

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-1438

登录查看更多情报信息。

Same Patch Batch · Graylog · 2026-02-18 · 7 CVEs total

CVE-2026-1436Improper Access Control (IDOR) vulnerability in Graylog Web Interface
CVE-2026-1440Reflected Cross-Site Scripting (XSS) vulnerability in Graylog Web Interface
CVE-2026-1439Reflected Cross-Site Scripting (XSS) vulnerability in Graylog Web Interface
CVE-2026-1437Reflected Cross-Site Scripting (XSS) vulnerability in Graylog Web Interface
CVE-2026-1441Reflected Cross-Site Scripting (XSS) vulnerability in Graylog Web Interface
CVE-2026-1435Incorrect management of session invalidation vulnerability in Graylog Web Interface

IV. Related Vulnerabilities

Same product: Graylog Web Interface
Same vendor: Graylog
Same weakness: CWE-79

V. Comments for CVE-2026-1438

No comments yet

Leave a comment