Unrated severityNVD Advisory· Published Feb 18, 2026· Updated Feb 18, 2026

Reflected Cross-Site Scripting (XSS) vulnerability in Graylog Web Interface

CVE-2026-1438

Description

Reflected Cross-Site Scripting (XSS) vulnerability in the Graylog Web Interface console, version 2.2.3, caused by a lack of proper sanitization and escaping in HTML output. Several endpoints include segments of the URL directly in the response without applying output encoding, allowing an attacker to inject and execute arbitrary JavaScript code when a user visits a specially crafted URL. Exploitation of this vulnerability may allow script execution in the victim's browser and limited manipulation of the affected user's session context, through the '/system/nodes/' endpoint.

Affected products

Graylog/Graylog Web Interfacellm-fuzzy
Range: =2.2.3
Graylog/Graylog Web Interfacev5
Range: 2.2.3

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-graylogmitrepatch

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000