Vulnerability-Lookup

WID-SEC-W-2026-1067

Vulnerability from csaf_certbund - Published: 2026-04-12 22:00 - Updated: 2026-06-02 22:00

Summary

Apache log4j: Mehrere Schwachstellen ermöglichen Manipulation von Dateien

Severity

Mittel

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: Apache log4j ist ein Framework zum Loggen von Anwendungsmeldungen in Java.

Angriff: Ein Angreifer kann mehrere Schwachstellen in Apache log4j ausnutzen, um Dateien zu manipulieren.

Betroffene Betriebssysteme: - Sonstiges

CVE-2026-34477

Affected products

Known affected 9 products

Product	Identifier	Version
IBM SPSS Modeler IBM / SPSS	`cpe:/a:ibm:spss:modeler`	Modeler
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:-`	—
Red Hat Enterprise Linux Offline Knowledge Portal Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:offline_knowledge_portal`	Offline Knowledge Portal
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Apache log4j <2.25.4 Apache / log4j		<2.25.4
IBM Tivoli Netcool/OMNIbus 8.1.0-8.1.0.36 IBM / Tivoli Netcool/OMNIbus	`cpe:/a:ibm:tivoli_netcool%2fomnibus:8.1.0_-_8.1.0.36`	8.1.0-8.1.0.36
Microsoft Azure Linux azl3 Microsoft / Azure Linux	`cpe:/o:microsoft:azure_linux:azl3`	azl3
IBM App Connect Enterprise IBM	`cpe:/a:ibm:app_connect_enterprise:-`	—

CVE-2026-34478

Affected products

Known affected 9 products

Product	Identifier	Version
IBM SPSS Modeler IBM / SPSS	`cpe:/a:ibm:spss:modeler`	Modeler
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:-`	—
Red Hat Enterprise Linux Offline Knowledge Portal Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:offline_knowledge_portal`	Offline Knowledge Portal
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Apache log4j <2.25.4 Apache / log4j		<2.25.4
IBM Tivoli Netcool/OMNIbus 8.1.0-8.1.0.36 IBM / Tivoli Netcool/OMNIbus	`cpe:/a:ibm:tivoli_netcool%2fomnibus:8.1.0_-_8.1.0.36`	8.1.0-8.1.0.36
Microsoft Azure Linux azl3 Microsoft / Azure Linux	`cpe:/o:microsoft:azure_linux:azl3`	azl3
IBM App Connect Enterprise IBM	`cpe:/a:ibm:app_connect_enterprise:-`	—

CVE-2026-34479

Affected products

Known affected 9 products

Product	Identifier	Version
IBM SPSS Modeler IBM / SPSS	`cpe:/a:ibm:spss:modeler`	Modeler
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:-`	—
Red Hat Enterprise Linux Offline Knowledge Portal Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:offline_knowledge_portal`	Offline Knowledge Portal
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Apache log4j <2.25.4 Apache / log4j		<2.25.4
IBM Tivoli Netcool/OMNIbus 8.1.0-8.1.0.36 IBM / Tivoli Netcool/OMNIbus	`cpe:/a:ibm:tivoli_netcool%2fomnibus:8.1.0_-_8.1.0.36`	8.1.0-8.1.0.36
Microsoft Azure Linux azl3 Microsoft / Azure Linux	`cpe:/o:microsoft:azure_linux:azl3`	azl3
IBM App Connect Enterprise IBM	`cpe:/a:ibm:app_connect_enterprise:-`	—

CVE-2026-34480

Affected products

Known affected 9 products

Product	Identifier	Version
IBM SPSS Modeler IBM / SPSS	`cpe:/a:ibm:spss:modeler`	Modeler
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:-`	—
Red Hat Enterprise Linux Offline Knowledge Portal Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:offline_knowledge_portal`	Offline Knowledge Portal
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Apache log4j <2.25.4 Apache / log4j		<2.25.4
IBM Tivoli Netcool/OMNIbus 8.1.0-8.1.0.36 IBM / Tivoli Netcool/OMNIbus	`cpe:/a:ibm:tivoli_netcool%2fomnibus:8.1.0_-_8.1.0.36`	8.1.0-8.1.0.36
Microsoft Azure Linux azl3 Microsoft / Azure Linux	`cpe:/o:microsoft:azure_linux:azl3`	azl3
IBM App Connect Enterprise IBM	`cpe:/a:ibm:app_connect_enterprise:-`	—

CVE-2026-34481

Affected products

Known affected 9 products

Product	Identifier	Version
IBM SPSS Modeler IBM / SPSS	`cpe:/a:ibm:spss:modeler`	Modeler
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:-`	—
Red Hat Enterprise Linux Offline Knowledge Portal Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:offline_knowledge_portal`	Offline Knowledge Portal
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Apache log4j <2.25.4 Apache / log4j		<2.25.4
IBM Tivoli Netcool/OMNIbus 8.1.0-8.1.0.36 IBM / Tivoli Netcool/OMNIbus	`cpe:/a:ibm:tivoli_netcool%2fomnibus:8.1.0_-_8.1.0.36`	8.1.0-8.1.0.36
Microsoft Azure Linux azl3 Microsoft / Azure Linux	`cpe:/o:microsoft:azure_linux:azl3`	azl3
IBM App Connect Enterprise IBM	`cpe:/a:ibm:app_connect_enterprise:-`	—

References

15 references

URL	Category
https://wid.cert-bund.de/.well-known/csaf/white/2…	self
https://wid.cert-bund.de/portal/wid/securityadvis…	self
https://github.com/advisories/GHSA-6HG6-V5C8-FPHQ	external
https://github.com/advisories/GHSA-445C-VH5M-36RJ	external
https://github.com/advisories/GHSA-H383-GMXW-35V2	external
https://github.com/advisories/GHSA-3pxv-7cmr-fjr4	external
https://github.com/advisories/GHSA-w35j-pv5h-q9q9	external
https://msrc.microsoft.com/update-guide/	external
https://lists.opensuse.org/archives/list/security…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://www.ibm.com/support/pages/node/7273809	external
https://www.ibm.com/support/pages/node/7274080	external
https://www.ibm.com/support/pages/node/7274227	external
https://access.redhat.com/errata/RHSA-2026:21773	external
https://access.redhat.com/errata/RHSA-2026:22619	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Apache log4j ist ein Framework zum Loggen von Anwendungsmeldungen in Java.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein Angreifer kann mehrere Schwachstellen in Apache log4j ausnutzen, um Dateien zu manipulieren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Sonstiges",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2026-1067 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-1067.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2026-1067 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1067"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-6HG6-V5C8-FPHQ vom 2026-04-12",
        "url": "https://github.com/advisories/GHSA-6HG6-V5C8-FPHQ"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-445C-VH5M-36RJ vom 2026-04-12",
        "url": "https://github.com/advisories/GHSA-445C-VH5M-36RJ"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-H383-GMXW-35V2 vom 2026-04-12",
        "url": "https://github.com/advisories/GHSA-H383-GMXW-35V2"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-3pxv-7cmr-fjr4 vom 2026-04-12",
        "url": "https://github.com/advisories/GHSA-3pxv-7cmr-fjr4"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-w35j-pv5h-q9q9 vom 2026-04-12",
        "url": "https://github.com/advisories/GHSA-w35j-pv5h-q9q9"
      },
      {
        "category": "external",
        "summary": "Microsoft Security Update Guide vom 2026-04-14",
        "url": "https://msrc.microsoft.com/update-guide/"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2026:10544-1 vom 2026-04-15",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4PYSIASLDV4ARR35HGWQNBVP5EMAIURV/"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:1843-1 vom 2026-05-13",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-May/026025.html"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7273809 vom 2026-05-22",
        "url": "https://www.ibm.com/support/pages/node/7273809"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7274080 vom 2026-05-26",
        "url": "https://www.ibm.com/support/pages/node/7274080"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7274227 vom 2026-05-27",
        "url": "https://www.ibm.com/support/pages/node/7274227"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:21773 vom 2026-05-29",
        "url": "https://access.redhat.com/errata/RHSA-2026:21773"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:22619 vom 2026-06-02",
        "url": "https://access.redhat.com/errata/RHSA-2026:22619"
      }
    ],
    "source_lang": "en-US",
    "title": "Apache log4j: Mehrere Schwachstellen erm\u00f6glichen Manipulation von Dateien",
    "tracking": {
      "current_release_date": "2026-06-02T22:00:00.000+00:00",
      "generator": {
        "date": "2026-06-03T06:33:30.618+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.6.0"
        }
      },
      "id": "WID-SEC-W-2026-1067",
      "initial_release_date": "2026-04-12T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2026-04-12T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2026-04-14T22:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates aufgenommen"
        },
        {
          "date": "2026-04-15T22:00:00.000+00:00",
          "number": "3",
          "summary": "Neue Updates von openSUSE aufgenommen"
        },
        {
          "date": "2026-05-14T22:00:00.000+00:00",
          "number": "4",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2026-05-25T22:00:00.000+00:00",
          "number": "5",
          "summary": "Neue Updates von IBM aufgenommen"
        },
        {
          "date": "2026-05-26T22:00:00.000+00:00",
          "number": "6",
          "summary": "Neue Updates von IBM und IBM-APAR aufgenommen"
        },
        {
          "date": "2026-05-27T22:00:00.000+00:00",
          "number": "7",
          "summary": "Neue Updates von IBM aufgenommen"
        },
        {
          "date": "2026-05-28T22:00:00.000+00:00",
          "number": "8",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2026-06-02T22:00:00.000+00:00",
          "number": "9",
          "summary": "Neue Updates von Red Hat aufgenommen"
        }
      ],
      "status": "final",
      "version": "9"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c2.25.4",
                "product": {
                  "name": "Apache log4j \u003c2.25.4",
                  "product_id": "T052700"
                }
              },
              {
                "category": "product_version",
                "name": "2.25.4",
                "product": {
                  "name": "Apache log4j 2.25.4",
                  "product_id": "T052700-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:apache:log4j:2.25.4"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "log4j"
          }
        ],
        "category": "vendor",
        "name": "Apache"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "IBM App Connect Enterprise",
            "product": {
              "name": "IBM App Connect Enterprise",
              "product_id": "T054632",
              "product_identification_helper": {
                "cpe": "cpe:/a:ibm:app_connect_enterprise:-"
              }
            }
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "Modeler",
                "product": {
                  "name": "IBM SPSS Modeler",
                  "product_id": "T018587",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:spss:modeler"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "SPSS"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "8.1.0-8.1.0.36",
                "product": {
                  "name": "IBM Tivoli Netcool/OMNIbus 8.1.0-8.1.0.36",
                  "product_id": "T054713",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:tivoli_netcool%2fomnibus:8.1.0_-_8.1.0.36"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Tivoli Netcool/OMNIbus"
          }
        ],
        "category": "vendor",
        "name": "IBM"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "azl3",
                "product": {
                  "name": "Microsoft Azure Linux azl3",
                  "product_id": "T049210",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:microsoft:azure_linux:azl3"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Azure Linux"
          }
        ],
        "category": "vendor",
        "name": "Microsoft"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux",
                "product": {
                  "name": "Red Hat Enterprise Linux",
                  "product_id": "67646",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:-"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "Offline Knowledge Portal",
                "product": {
                  "name": "Red Hat Enterprise Linux Offline Knowledge Portal",
                  "product_id": "T054837",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:offline_knowledge_portal"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Enterprise Linux"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "SUSE Linux",
            "product": {
              "name": "SUSE Linux",
              "product_id": "T002207",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:suse_linux:-"
              }
            }
          },
          {
            "category": "product_name",
            "name": "SUSE openSUSE",
            "product": {
              "name": "SUSE openSUSE",
              "product_id": "T027843",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:opensuse:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-34477",
      "product_status": {
        "known_affected": [
          "T018587",
          "T002207",
          "67646",
          "T054837",
          "T027843",
          "T052700",
          "T054713",
          "T049210",
          "T054632"
        ]
      },
      "release_date": "2026-04-12T22:00:00.000+00:00",
      "title": "CVE-2026-34477"
    },
    {
      "cve": "CVE-2026-34478",
      "product_status": {
        "known_affected": [
          "T018587",
          "T002207",
          "67646",
          "T054837",
          "T027843",
          "T052700",
          "T054713",
          "T049210",
          "T054632"
        ]
      },
      "release_date": "2026-04-12T22:00:00.000+00:00",
      "title": "CVE-2026-34478"
    },
    {
      "cve": "CVE-2026-34479",
      "product_status": {
        "known_affected": [
          "T018587",
          "T002207",
          "67646",
          "T054837",
          "T027843",
          "T052700",
          "T054713",
          "T049210",
          "T054632"
        ]
      },
      "release_date": "2026-04-12T22:00:00.000+00:00",
      "title": "CVE-2026-34479"
    },
    {
      "cve": "CVE-2026-34480",
      "product_status": {
        "known_affected": [
          "T018587",
          "T002207",
          "67646",
          "T054837",
          "T027843",
          "T052700",
          "T054713",
          "T049210",
          "T054632"
        ]
      },
      "release_date": "2026-04-12T22:00:00.000+00:00",
      "title": "CVE-2026-34480"
    },
    {
      "cve": "CVE-2026-34481",
      "product_status": {
        "known_affected": [
          "T018587",
          "T002207",
          "67646",
          "T054837",
          "T027843",
          "T052700",
          "T054713",
          "T049210",
          "T054632"
        ]
      },
      "release_date": "2026-04-12T22:00:00.000+00:00",
      "title": "CVE-2026-34481"
    }
  ]
}

CVE-2026-34477 (GCVE-0-2026-34477)

Vulnerability from cvelistv5 – Published: 2026-04-10 15:36 – Updated: 2026-04-10 17:38

Title

Apache Log4j Core: verifyHostName attribute silently ignored in TLS configuration, allowing hostname verification bypass

Summary

The fix for CVE-2025-68161 https://logging.apache.org/security.html#CVE-2025-68161 was incomplete: it addressed hostname verification only when enabled via the log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName system property, but not when configured through the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName attribute of the <Ssl> element. Although the verifyHostName configuration attribute was introduced in Log4j Core 2.12.0, it was silently ignored in all versions through 2.25.3, leaving TLS connections vulnerable to interception regardless of the configured value. A network-based attacker may be able to perform a man-in-the-middle attack when all of the following conditions are met: * An SMTP, Socket, or Syslog appender is in use. * TLS is configured via a nested <Ssl> element. * The attacker can present a certificate issued by a CA trusted by the appender's configured trust store, or by the default Java trust store if none is configured. This issue does not affect users of the HTTP appender, which uses a separate verifyHostname https://logging.apache.org/log4j/2.x/manual/appenders/network.html#HttpAppender-attr-verifyHostName attribute that was not subject to this bug and verifies host names by default. Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue.

Severity

6.3 (Medium)


                        
                          CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:N

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-297 - Improper Validation of Certificate with Host Mismatch

Assigner

apache

References

5 references

URL	Tags
https://github.com/apache/logging-log4j2/pull/4075	patch
https://logging.apache.org/security.html#CVE-2026-34477	vendor-advisory
https://logging.apache.org/cyclonedx/vdr.xml	vendor-advisory
https://logging.apache.org/log4j/2.x/manual/appen…	related
https://lists.apache.org/thread/lkx8cl46t2bvkcwfc…	vendor-advisory

Impacted products

1 product

Vendor	Product	Version
Apache Software Foundation	Apache Log4j Core	Affected: 2.12.0 , < 2.25.4 (maven) Affected: 3.0.0-alpha1 , ≤ 3.0.0-beta3 (maven) cpe:2.3:a:apache:log4j::::::::

Credits

Samuli Leinonen (original reporter) Naresh Kandula (independently) Vitaly Simonovich (independently) Raijuna (independently) Danish Siddiqui (djvirus, independently) Markus Magnuson (independently) Haruki Oyama (Waseda University, independently)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-34477",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-10T17:36:46.652477Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-10T17:38:57.154Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "cpes": [
            "cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "packageName": "org.apache.logging.log4j:log4j-core",
          "packageURL": "pkg:maven/org.apache.logging.log4j/log4j-core",
          "product": "Apache Log4j Core",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "2.25.4",
              "status": "affected",
              "version": "2.12.0",
              "versionType": "maven"
            },
            {
              "lessThanOrEqual": "3.0.0-beta3",
              "status": "affected",
              "version": "3.0.0-alpha1",
              "versionType": "maven"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Samuli Leinonen (original reporter)"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Naresh Kandula (independently)"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Vitaly Simonovich (independently)"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Raijuna (independently)"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Danish Siddiqui (djvirus, independently)"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Markus Magnuson (independently)"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Haruki Oyama (Waseda University, independently)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eThe fix for \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://logging.apache.org/security.html#CVE-2025-68161\"\u003eCVE-2025-68161\u003c/a\u003e was incomplete: it addressed hostname verification only when enabled via the \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName\"\u003e\u003ccode\u003elog4j2.sslVerifyHostName\u003c/code\u003e\u003c/a\u003e system property, but not when configured through the \u003ccode\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName\"\u003everifyHostName\u003c/a\u003e\u003c/code\u003e attribute of the \u003ccode\u003e\u0026lt;Ssl\u0026gt;\u003c/code\u003e element.\u003c/p\u003e\u003cp\u003eAlthough the \u003ccode\u003everifyHostName\u003c/code\u003e configuration attribute was introduced in Log4j Core 2.12.0, it was silently ignored in all versions through 2.25.3, leaving TLS connections vulnerable to interception regardless of the configured value.\u003c/p\u003e\u003cp\u003eA network-based attacker may be able to perform a man-in-the-middle attack when \u003cstrong\u003eall\u003c/strong\u003e of the following conditions are met:\u003c/p\u003e\u003col\u003e\u003cli\u003eAn SMTP, Socket, or Syslog appender is in use.\u003c/li\u003e\u003cli\u003eTLS is configured via a nested \u003ccode\u003e\u0026lt;Ssl\u0026gt;\u003c/code\u003e element.\u003c/li\u003e\u003cli\u003eThe attacker can present a certificate issued by a CA trusted by the appender\u0027s configured trust store, or by the default Java trust store if none is configured.\u003c/li\u003e\u003c/ol\u003e\u003cp\u003eThis issue does not affect users of the HTTP appender, which uses a separate \u003ccode\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://logging.apache.org/log4j/2.x/manual/appenders/network.html#HttpAppender-attr-verifyHostName\"\u003everifyHostname\u003c/a\u003e\u003c/code\u003e attribute that was not subject to this bug and verifies host names by default.\u003c/p\u003e\u003cp\u003eUsers are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue.\u003c/p\u003e"
            }
          ],
          "value": "The fix for  CVE-2025-68161 https://logging.apache.org/security.html#CVE-2025-68161  was incomplete: it addressed hostname verification only when enabled via the  log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName  system property, but not when configured through the  verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName  attribute of the \u003cSsl\u003e element.\n\nAlthough the verifyHostName configuration attribute was introduced in Log4j Core 2.12.0, it was silently ignored in all versions through 2.25.3, leaving TLS connections vulnerable to interception regardless of the configured value.\n\nA network-based attacker may be able to perform a man-in-the-middle attack when all of the following conditions are met:\n\n  *  An SMTP, Socket, or Syslog appender is in use.\n  *  TLS is configured via a nested \u003cSsl\u003e element.\n  *  The attacker can present a certificate issued by a CA trusted by the appender\u0027s configured trust store, or by the default Java trust store if none is configured.\nThis issue does not affect users of the HTTP appender, which uses a separate  verifyHostname https://logging.apache.org/log4j/2.x/manual/appenders/network.html#HttpAppender-attr-verifyHostName  attribute that was not subject to this bug and verifies host names by default.\n\nUsers are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "HIGH",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "LOW",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "other": {
            "content": {
              "text": "moderate"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-297",
              "description": "CWE-297 Improper Validation of Certificate with Host Mismatch",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-10T15:36:19.740Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/apache/logging-log4j2/pull/4075"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://logging.apache.org/security.html#CVE-2026-34477"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://logging.apache.org/cyclonedx/vdr.xml"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/lkx8cl46t2bvkcwfcb2pd43ygc097lq4"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2025-12-20T19:05:00.000Z",
          "value": "Vulnerability reported by Samuli Leinonen"
        },
        {
          "lang": "en",
          "time": "2025-12-30T22:57:00.000Z",
          "value": "Candidate patch shared internally by Piotr P. Karwasz"
        },
        {
          "lang": "en",
          "time": "2026-02-25T19:35:00.000Z",
          "value": "Independent report received from Naresh Kandula"
        },
        {
          "lang": "en",
          "time": "2026-03-01T23:01:00.000Z",
          "value": "Independent report received from Vitaly Simonovich"
        },
        {
          "lang": "en",
          "time": "2026-03-02T06:31:00.000Z",
          "value": "Independent report received from Raijuna"
        },
        {
          "lang": "en",
          "time": "2026-03-08T18:17:00.000Z",
          "value": "Independent report received from Danish Siddiqui"
        },
        {
          "lang": "en",
          "time": "2026-03-19T09:46:00.000Z",
          "value": "Independent report received from Markus Magnuson"
        },
        {
          "lang": "en",
          "time": "2026-03-21T11:13:00.000Z",
          "value": "Independent report received from Haruki Oyama"
        },
        {
          "lang": "en",
          "time": "2026-03-24T19:46:00.000Z",
          "value": "Fix shared publicly by Piotr P. Karwasz as pull request #4075"
        },
        {
          "lang": "en",
          "time": "2026-03-28T11:19:00.000Z",
          "value": "Log4j 2.25.4 released"
        }
      ],
      "title": "Apache Log4j Core: verifyHostName attribute silently ignored in TLS configuration, allowing hostname verification bypass",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2026-34477",
    "datePublished": "2026-04-10T15:36:19.740Z",
    "dateReserved": "2026-03-28T11:26:04.052Z",
    "dateUpdated": "2026-04-10T17:38:57.154Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-34478 (GCVE-0-2026-34478)

Vulnerability from cvelistv5 – Published: 2026-04-10 15:40 – Updated: 2026-04-10 17:50

Title

Apache Log4j Core: Log injection in Rfc5424Layout due to silent configuration incompatibility

Summary

Apache Log4j Core's Rfc5424Layout https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424Layout , in versions 2.21.0 through 2.25.3, is vulnerable to log injection via CRLF sequences due to undocumented renames of security-relevant configuration attributes. Two distinct issues affect users of stream-based syslog services who configure Rfc5424Layout directly: * The newLineEscape attribute was silently renamed, causing newline escaping to stop working for users of TCP framing (RFC 6587), exposing them to CRLF injection in log output. * The useTlsMessageFormat attribute was silently renamed, causing users of TLS framing (RFC 5425) to be silently downgraded to unframed TCP (RFC 6587), without newline escaping. Users of the SyslogAppender are not affected, as its configuration attributes were not modified. Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue.

Severity

6.9 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-684 - Incorrect Provision of Specified Functionality
CWE-117 - Improper Output Neutralization for Logs

Assigner

apache

References

6 references

URL	Tags
https://github.com/apache/logging-log4j2/pull/4074	patch
https://logging.apache.org/security.html#CVE-2026-34478	vendor-advisory
https://logging.apache.org/cyclonedx/vdr.xml	vendor-advisory
https://logging.apache.org/log4j/2.x/manual/layou…	related
https://lists.apache.org/thread/3k1clr2l6vkdnl4cb…	vendor-advisory
http://www.openwall.com/lists/oss-security/2026/04/10/7

Impacted products

1 product

Vendor	Product	Version
Apache Software Foundation	Apache Log4j Core	Affected: 2.21.0 , < 2.25.4 (maven) Affected: 3.0.0-beta1 , ≤ 3.0.0-beta3 (maven) cpe:2.3:a:apache:log4j::::::::

Credits

Samuli Leinonen

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-04-10T16:18:17.528Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/04/10/7"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-34478",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-10T17:48:27.852992Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-10T17:50:12.484Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "cpes": [
            "cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "packageName": "org.apache.logging.log4j:log4j-core",
          "packageURL": "pkg:maven/org.apache.logging.log4j/log4j-core",
          "product": "Apache Log4j Core",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "2.25.4",
              "status": "affected",
              "version": "2.21.0",
              "versionType": "maven"
            },
            {
              "lessThanOrEqual": "3.0.0-beta3",
              "status": "affected",
              "version": "3.0.0-beta1",
              "versionType": "maven"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Samuli Leinonen"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eApache Log4j Core\u0027s \u003ccode\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424Layout\"\u003eRfc5424Layout\u003c/a\u003e\u003c/code\u003e, in versions 2.21.0 through 2.25.3, is vulnerable to log injection via CRLF sequences due to undocumented renames of security-relevant configuration attributes.\u003c/p\u003e\u003cp\u003eTwo distinct issues affect users of stream-based syslog services who configure \u003ccode\u003eRfc5424Layout\u003c/code\u003e directly:\u003c/p\u003e\u003cul\u003e\u003cli\u003eThe \u003ccode\u003enewLineEscape\u003c/code\u003e attribute was silently renamed, causing newline escaping to stop working for users of TCP framing (RFC 6587), exposing them to CRLF injection in log output.\u003c/li\u003e\u003cli\u003eThe \u003ccode\u003euseTlsMessageFormat\u003c/code\u003e attribute was silently renamed, causing users of TLS framing (RFC 5425) to be silently downgraded to unframed TCP (RFC 6587), without newline escaping.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eUsers of the \u003ccode\u003eSyslogAppender\u003c/code\u003e are not affected, as its configuration attributes were not modified.\u003c/p\u003e\u003cp\u003eUsers are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue.\u003c/p\u003e"
            }
          ],
          "value": "Apache Log4j Core\u0027s  Rfc5424Layout https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424Layout , in versions 2.21.0 through 2.25.3, is vulnerable to log injection via CRLF sequences due to undocumented renames of security-relevant configuration attributes.\n\nTwo distinct issues affect users of stream-based syslog services who configure Rfc5424Layout directly:\n\n  *  The newLineEscape attribute was silently renamed, causing newline escaping to stop working for users of TCP framing (RFC 6587), exposing them to CRLF injection in log output.\n  *  The useTlsMessageFormat attribute was silently renamed, causing users of TLS framing (RFC 5425) to be silently downgraded to unframed TCP (RFC 6587), without newline escaping.\n\n\nUsers of the SyslogAppender are not affected, as its configuration attributes were not modified.\n\nUsers are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "LOW",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "other": {
            "content": {
              "text": "moderate"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-684",
              "description": "CWE-684 Incorrect Provision of Specified Functionality",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-117",
              "description": "CWE-117 Improper Output Neutralization for Logs",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-10T15:40:17.713Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/apache/logging-log4j2/pull/4074"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://logging.apache.org/security.html#CVE-2026-34478"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://logging.apache.org/cyclonedx/vdr.xml"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424Layout"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/3k1clr2l6vkdnl4cbhjrnt1nyjvb5gwt"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2025-12-25T12:58:00.000Z",
          "value": "Vulnerability reported by Samuli Leinonen"
        },
        {
          "lang": "en",
          "time": "2026-03-10T16:00:00.000Z",
          "value": "Candidate patch shared internally by Piotr P. Karwasz"
        },
        {
          "lang": "en",
          "time": "2026-03-24T18:41:00.000Z",
          "value": "Fix shared publicly by Piotr P. Karwasz as pull request #4074"
        },
        {
          "lang": "en",
          "time": "2026-03-25T11:02:00.000Z",
          "value": "Fix verified by reporter"
        },
        {
          "lang": "en",
          "time": "2026-03-28T11:19:00.000Z",
          "value": "Log4j 2.25.4 released"
        }
      ],
      "title": "Apache Log4j Core: Log injection in Rfc5424Layout due to silent configuration incompatibility",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2026-34478",
    "datePublished": "2026-04-10T15:40:17.713Z",
    "dateReserved": "2026-03-28T13:17:35.586Z",
    "dateUpdated": "2026-04-10T17:50:12.484Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-34479 (GCVE-0-2026-34479)

Vulnerability from cvelistv5 – Published: 2026-04-10 15:41 – Updated: 2026-04-10 17:47

Title

Apache Log4j 1 to Log4j 2 bridge: Silent log event loss in Log4j1XmlLayout due to unescaped XML 1.0 forbidden characters

Summary

The Log4j1XmlLayout from the Apache Log4j 1-to-Log4j 2 bridge fails to escape characters forbidden by the XML 1.0 standard, producing malformed XML output. Conforming XML parsers are required to reject documents containing such characters with a fatal error, which may cause downstream log processing systems to drop or fail to index affected records. Two groups of users are affected: * Those using Log4j1XmlLayout directly in a Log4j Core 2 configuration file. * Those using the Log4j 1 configuration compatibility layer with org.apache.log4j.xml.XMLLayout specified as the layout class. Users are advised to upgrade to Apache Log4j 1-to-Log4j 2 bridge version 2.25.4, which corrects this issue. Note: The Apache Log4j 1-to-Log4j 2 bridge is deprecated and will not be present in Log4j 3. Users are encouraged to consult the Log4j 1 to Log4j 2 migration guide https://logging.apache.org/log4j/2.x/migrate-from-log4j1.html , and specifically the section on eliminating reliance on the bridge.

Severity

6.9 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-116 - Improper Encoding or Escaping of Output

Assigner

apache

References

6 references

URL	Tags
https://github.com/apache/logging-log4j2/pull/4078	patch
https://logging.apache.org/security.html#CVE-2026-34479	vendor-advisory
https://logging.apache.org/cyclonedx/vdr.xml	vendor-advisory
https://logging.apache.org/log4j/2.x/migrate-from…	related
https://lists.apache.org/thread/gd0hp6mj17rn3kj27…	vendor-advisory
http://www.openwall.com/lists/oss-security/2026/04/10/8

Impacted products

1 product

Vendor	Product	Version
Apache Software Foundation	Apache Log4j 1 to Log4j 2 bridge	Affected: 2.7 , < 2.25.4 (maven) Affected: 3.0.0-alpha1 , ≤ 3.0.0-beta2 (maven) cpe:2.3:a:apache:log4j_1_2_api::::::::

Credits

Ap4sh (Samy Medjahed) and Ethicxz (Eliott Laurie) (original reporters) jabaltarik1 (independently)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-04-10T16:18:18.699Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/04/10/8"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-34479",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-10T17:45:24.466114Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-10T17:47:34.402Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "cpes": [
            "cpe:2.3:a:apache:log4j_1_2_api:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "packageName": "org.apache.logging.log4j:log4j-1.2-api",
          "packageURL": "pkg:maven/org.apache.logging.log4j/log4j-1.2-api",
          "product": "Apache Log4j 1 to Log4j 2 bridge",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "2.25.4",
              "status": "affected",
              "version": "2.7",
              "versionType": "maven"
            },
            {
              "lessThanOrEqual": "3.0.0-beta2",
              "status": "affected",
              "version": "3.0.0-alpha1",
              "versionType": "maven"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Ap4sh (Samy Medjahed) and Ethicxz (Eliott Laurie) (original reporters)"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "jabaltarik1 (independently)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eThe \u003ccode\u003eLog4j1XmlLayout\u003c/code\u003e from the Apache Log4j 1-to-Log4j 2 bridge fails to escape characters forbidden by the XML 1.0 standard, producing malformed XML output. Conforming XML parsers are required to reject documents containing such characters with a fatal error, which may cause downstream log processing systems to drop or fail to index affected records.\u003c/p\u003e\u003cp\u003eTwo groups of users are affected:\u003c/p\u003e\u003cul\u003e\u003cli\u003eThose using \u003ccode\u003eLog4j1XmlLayout\u003c/code\u003e directly in a Log4j Core 2 configuration file.\u003c/li\u003e\u003cli\u003eThose using the Log4j 1 configuration compatibility layer with \u003ccode\u003eorg.apache.log4j.xml.XMLLayout\u003c/code\u003e specified as the layout class.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eUsers are advised to upgrade to Apache Log4j 1-to-Log4j 2 bridge version 2.25.4, which corrects this issue.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eNote:\u003c/strong\u003e The Apache Log4j 1-to-Log4j 2 bridge is deprecated and will not be present in Log4j 3. Users are encouraged to consult the \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://logging.apache.org/log4j/2.x/migrate-from-log4j1.html\"\u003eLog4j 1 to Log4j 2 migration guide\u003c/a\u003e, and specifically the section on eliminating reliance on the bridge.\u003c/p\u003e"
            }
          ],
          "value": "The Log4j1XmlLayout from the Apache Log4j 1-to-Log4j 2 bridge fails to escape characters forbidden by the XML 1.0 standard, producing malformed XML output. Conforming XML parsers are required to reject documents containing such characters with a fatal error, which may cause downstream log processing systems to drop or fail to index affected records.\n\nTwo groups of users are affected:\n\n  *  Those using Log4j1XmlLayout directly in a Log4j Core 2 configuration file.\n  *  Those using the Log4j 1 configuration compatibility layer with org.apache.log4j.xml.XMLLayout specified as the layout class.\n\n\nUsers are advised to upgrade to Apache Log4j 1-to-Log4j 2 bridge version 2.25.4, which corrects this issue.\n\nNote: The Apache Log4j 1-to-Log4j 2 bridge is deprecated and will not be present in Log4j 3. Users are encouraged to consult the  Log4j 1 to Log4j 2 migration guide https://logging.apache.org/log4j/2.x/migrate-from-log4j1.html , and specifically the section on eliminating reliance on the bridge."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "LOW",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "other": {
            "content": {
              "text": "moderate"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-116",
              "description": "CWE-116 Improper Encoding or Escaping of Output",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-10T15:41:07.888Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/apache/logging-log4j2/pull/4078"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://logging.apache.org/security.html#CVE-2026-34479"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://logging.apache.org/cyclonedx/vdr.xml"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://logging.apache.org/log4j/2.x/migrate-from-log4j1.html"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/gd0hp6mj17rn3kj279vgy4p7kd4zz5on"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2026-02-16T17:11:00.000Z",
          "value": "Vulnerability reported by Ap4sh and ethicxz"
        },
        {
          "lang": "en",
          "time": "2026-03-15T05:39:00.000Z",
          "value": "Independent report received from jabaltarik1"
        },
        {
          "lang": "en",
          "time": "2026-03-24T18:56:00.000Z",
          "value": "Fix shared publicly by Piotr P. Karwasz as pull request #4078"
        },
        {
          "lang": "en",
          "time": "2026-03-25T09:46:00.000Z",
          "value": "Fix verified by reporter"
        },
        {
          "lang": "en",
          "time": "2026-03-28T11:19:00.000Z",
          "value": "Log4j 2.25.4 released"
        }
      ],
      "title": "Apache Log4j 1 to Log4j 2 bridge: Silent log event loss in Log4j1XmlLayout due to unescaped XML 1.0 forbidden characters",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2026-34479",
    "datePublished": "2026-04-10T15:41:07.888Z",
    "dateReserved": "2026-03-28T14:06:31.965Z",
    "dateUpdated": "2026-04-10T17:47:34.402Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-34480 (GCVE-0-2026-34480)

Vulnerability from cvelistv5 – Published: 2026-04-10 15:42 – Updated: 2026-04-10 17:45

Title

Apache Log4j Core: Silent log event loss in XmlLayout due to unescaped XML 1.0 forbidden characters

Summary

Apache Log4j Core's XmlLayout https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout , in versions up to and including 2.25.3, fails to sanitize characters forbidden by the XML 1.0 specification https://www.w3.org/TR/xml/#charsets producing invalid XML output whenever a log message or MDC value contains such characters. The impact depends on the StAX implementation in use: * JRE built-in StAX: Forbidden characters are silently written to the output, producing malformed XML. Conforming parsers must reject such documents with a fatal error, which may cause downstream log-processing systems to drop the affected records. * Alternative StAX implementations (e.g., Woodstox https://github.com/FasterXML/woodstox , a transitive dependency of the Jackson XML Dataformat module): An exception is thrown during the logging call, and the log event is never delivered to its intended appender, only to Log4j's internal status logger. Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue by sanitizing forbidden characters before XML output.

Severity

6.9 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-116 - Improper Encoding or Escaping of Output

Assigner

apache

References

6 references

URL	Tags
https://github.com/apache/logging-log4j2/pull/4077	patch
https://logging.apache.org/security.html#CVE-2026-34480	vendor-advisory
https://logging.apache.org/cyclonedx/vdr.xml	vendor-advisory
https://logging.apache.org/log4j/2.x/manual/layou…	related
https://lists.apache.org/thread/5x0hcnng0chhghp6j…	vendor-advisory
http://www.openwall.com/lists/oss-security/2026/04/10/9

Impacted products

1 product

Vendor	Product	Version
Apache Software Foundation	Apache Log4j Core	Affected: 2.0-alpha1 , < 2.25.4 (maven) Affected: 3.0.0-alpha1 , ≤ 3.0.0-beta3 (maven) cpe:2.3:a:apache:log4j::::::::

Credits

Ap4sh (Samy Medjahed) and Ethicxz (Eliott Laurie) (original reporters) jabaltarik1 (independently)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-04-10T16:18:19.775Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/04/10/9"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-34480",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-10T17:43:51.255638Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-10T17:45:07.434Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "cpes": [
            "cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "packageName": "org.apache.logging.log4j:log4j-core",
          "packageURL": "pkg:maven/org.apache.logging.log4j/log4j-core",
          "product": "Apache Log4j Core",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "2.25.4",
              "status": "affected",
              "version": "2.0-alpha1",
              "versionType": "maven"
            },
            {
              "lessThanOrEqual": "3.0.0-beta3",
              "status": "affected",
              "version": "3.0.0-alpha1",
              "versionType": "maven"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Ap4sh (Samy Medjahed) and Ethicxz (Eliott Laurie) (original reporters)"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "jabaltarik1 (independently)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eApache Log4j Core\u0027s \u003ccode\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout\"\u003eXmlLayout\u003c/a\u003e\u003c/code\u003e, in versions up to and including 2.25.3, fails to sanitize characters forbidden by the \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.w3.org/TR/xml/#charsets\"\u003eXML 1.0 specification\u003c/a\u003e producing invalid XML output whenever a log message or MDC value contains such characters.\u003c/p\u003e\u003cp\u003eThe impact depends on the StAX implementation in use:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eJRE built-in StAX:\u003c/strong\u003e Forbidden characters are silently written to the output, producing malformed XML. Conforming parsers must reject such documents with a fatal error, which may cause downstream log-processing systems to drop the affected records.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eAlternative StAX implementations\u003c/strong\u003e (e.g., \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/FasterXML/woodstox\"\u003eWoodstox\u003c/a\u003e, a transitive dependency of the Jackson XML Dataformat module): An exception is thrown during the logging call, and the log event is never delivered to its intended appender, only to Log4j\u0027s internal status logger.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eUsers are advised to upgrade to Apache Log4j Core \u003ccode\u003e2.25.4\u003c/code\u003e, which corrects this issue by sanitizing forbidden characters before XML output.\u003c/p\u003e"
            }
          ],
          "value": "Apache Log4j Core\u0027s  XmlLayout https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout , in versions up to and including 2.25.3, fails to sanitize characters forbidden by the  XML 1.0 specification https://www.w3.org/TR/xml/#charsets  producing invalid XML output whenever a log message or MDC value contains such characters.\n\nThe impact depends on the StAX implementation in use:\n\n  *  JRE built-in StAX: Forbidden characters are silently written to the output, producing malformed XML. Conforming parsers must reject such documents with a fatal error, which may cause downstream log-processing systems to drop the affected records.\n  *  Alternative StAX implementations (e.g.,  Woodstox https://github.com/FasterXML/woodstox , a transitive dependency of the Jackson XML Dataformat module): An exception is thrown during the logging call, and the log event is never delivered to its intended appender, only to Log4j\u0027s internal status logger.\n\n\nUsers are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue by sanitizing forbidden characters before XML output."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "LOW",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "other": {
            "content": {
              "text": "moderate"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-116",
              "description": "CWE-116 Improper Encoding or Escaping of Output",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-10T15:42:03.843Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/apache/logging-log4j2/pull/4077"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://logging.apache.org/security.html#CVE-2026-34480"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://logging.apache.org/cyclonedx/vdr.xml"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/5x0hcnng0chhghp6jgjdp3qmbbhfjzhb"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2026-02-16T17:11:00.000Z",
          "value": "Vulnerability reported by Ap4sh and ethicxz"
        },
        {
          "lang": "en",
          "time": "2026-03-10T20:15:00.000Z",
          "value": "Candidate patch shared internally by Piotr P. Karwasz"
        },
        {
          "lang": "en",
          "time": "2026-03-15T05:39:00.000Z",
          "value": "Independent report received from jabaltarik1"
        },
        {
          "lang": "en",
          "time": "2026-03-24T18:52:00.000Z",
          "value": "Fix shared publicly by Piotr P. Karwasz as pull request #4077"
        },
        {
          "lang": "en",
          "time": "2026-03-25T09:46:00.000Z",
          "value": "Fix verified by reporter"
        },
        {
          "lang": "en",
          "time": "2026-03-28T11:19:00.000Z",
          "value": "Log4j 2.25.4 released"
        }
      ],
      "title": "Apache Log4j Core: Silent log event loss in XmlLayout due to unescaped XML 1.0 forbidden characters",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2026-34480",
    "datePublished": "2026-04-10T15:42:03.843Z",
    "dateReserved": "2026-03-28T15:29:27.095Z",
    "dateUpdated": "2026-04-10T17:45:07.434Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-34481 (GCVE-0-2026-34481)

Vulnerability from cvelistv5 – Published: 2026-04-10 15:43 – Updated: 2026-04-10 17:41

Title

Apache Log4j JSON Template Layout: Improper serialization of non-finite floating-point values in JsonTemplateLayout

Summary

Apache Log4j's JsonTemplateLayout https://logging.apache.org/log4j/2.x/manual/json-template-layout.html , in versions up to and including 2.25.3, produces invalid JSON output when log events contain non-finite floating-point values (NaN, Infinity, or -Infinity), which are prohibited by RFC 8259. This may cause downstream log processing systems to reject or fail to index affected records. An attacker can exploit this issue only if both of the following conditions are met: * The application uses JsonTemplateLayout. * The application logs a MapMessage containing an attacker-controlled floating-point value. Users are advised to upgrade to Apache Log4j JSON Template Layout 2.25.4, which corrects this issue.

Severity

6.3 (Medium)


                        
                          CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-116 - Improper Encoding or Escaping of Output

Assigner

apache

References

6 references

URL	Tags
https://github.com/apache/logging-log4j2/pull/4080	patch
https://logging.apache.org/security.html#CVE-2026-34481	vendor-advisory
https://logging.apache.org/cyclonedx/vdr.xml	vendor-advisory
https://logging.apache.org/log4j/2.x/manual/json-…	related
https://lists.apache.org/thread/n34zdv00gbkdbzt2r…	vendor-advisory
http://www.openwall.com/lists/oss-security/2026/0…

Impacted products

1 product

Vendor	Product	Version
Apache Software Foundation	Apache Log4j JSON Template Layout	Affected: 2.14.0 , < 2.25.4 (maven) Affected: 3.0.0-alpha1 , ≤ 3.0.0-beta3 (maven) cpe:2.3:a:apache:log4j_layout_template_json::::::::

Credits

Ap4sh (Samy Medjahed) and Ethicxz (Eliott Laurie)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-04-10T16:18:20.891Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/04/10/10"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-34481",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-10T17:41:23.224802Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-10T17:41:38.229Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "cpes": [
            "cpe:2.3:a:apache:log4j_layout_template_json:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "packageName": "org.apache.logging.log4j:log4j-layout-template-json",
          "packageURL": "pkg:maven/org.apache.logging.log4j/log4j-layout-template-json",
          "product": "Apache Log4j JSON Template Layout",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "2.25.4",
              "status": "affected",
              "version": "2.14.0",
              "versionType": "maven"
            },
            {
              "lessThanOrEqual": "3.0.0-beta3",
              "status": "affected",
              "version": "3.0.0-alpha1",
              "versionType": "maven"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Ap4sh (Samy Medjahed) and Ethicxz (Eliott Laurie)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eApache Log4j\u0027s \u003ccode\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://logging.apache.org/log4j/2.x/manual/json-template-layout.html\"\u003eJsonTemplateLayout\u003c/a\u003e\u003c/code\u003e, in versions up to and including 2.25.3, produces invalid JSON output when log events contain non-finite floating-point values (\u003ccode\u003eNaN\u003c/code\u003e, \u003ccode\u003eInfinity\u003c/code\u003e, or \u003ccode\u003e-Infinity\u003c/code\u003e), which are prohibited by RFC 8259. This may cause downstream log processing systems to reject or fail to index affected records.\u003c/p\u003e\u003cp\u003eAn attacker can exploit this issue only if both of the following conditions are met:\u003c/p\u003e\u003cul\u003e\u003cli\u003eThe application uses \u003ccode\u003eJsonTemplateLayout\u003c/code\u003e.\u003c/li\u003e\u003cli\u003eThe application logs a \u003ccode\u003eMapMessage\u003c/code\u003e containing an attacker-controlled floating-point value.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eUsers are advised to upgrade to Apache Log4j JSON Template Layout 2.25.4, which corrects this issue.\u003c/p\u003e"
            }
          ],
          "value": "Apache Log4j\u0027s  JsonTemplateLayout https://logging.apache.org/log4j/2.x/manual/json-template-layout.html , in versions up to and including 2.25.3, produces invalid JSON output when log events contain non-finite floating-point values (NaN, Infinity, or -Infinity), which are prohibited by RFC 8259. This may cause downstream log processing systems to reject or fail to index affected records.\n\nAn attacker can exploit this issue only if both of the following conditions are met:\n\n  *  The application uses JsonTemplateLayout.\n  *  The application logs a MapMessage containing an attacker-controlled floating-point value.\n\n\nUsers are advised to upgrade to Apache Log4j JSON Template Layout 2.25.4, which corrects this issue."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "HIGH",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "LOW",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "other": {
            "content": {
              "text": "moderate"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-116",
              "description": "CWE-116 Improper Encoding or Escaping of Output",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-10T15:43:00.100Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/apache/logging-log4j2/pull/4080"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://logging.apache.org/security.html#CVE-2026-34481"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://logging.apache.org/cyclonedx/vdr.xml"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://logging.apache.org/log4j/2.x/manual/json-template-layout.html"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/n34zdv00gbkdbzt2rx9rf5mqz6lhopcv"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2026-02-16T18:14:00.000Z",
          "value": "Vulnerability reported by Ap4sh and ethicxz"
        },
        {
          "lang": "en",
          "time": "2026-03-10T20:42:00.000Z",
          "value": "Candidate patch internally shared by Piotr P. Karwasz"
        },
        {
          "lang": "en",
          "time": "2026-03-24T23:06:00.000Z",
          "value": "Fix shared publicly by Piotr P. Karwasz as pull request #4080"
        },
        {
          "lang": "en",
          "time": "2026-03-25T09:54:00.000Z",
          "value": "Fix verified by the reporter"
        },
        {
          "lang": "en",
          "time": "2026-03-28T11:19:00.000Z",
          "value": "Log4j 2.25.4 released"
        }
      ],
      "title": "Apache Log4j JSON Template Layout: Improper serialization of non-finite floating-point values in JsonTemplateLayout",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2026-34481",
    "datePublished": "2026-04-10T15:43:00.100Z",
    "dateReserved": "2026-03-28T19:23:37.127Z",
    "dateUpdated": "2026-04-10T17:41:38.229Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

WID-SEC-W-2026-1067

CVE-2026-34477 (GCVE-0-2026-34477)

CVE-2026-34478 (GCVE-0-2026-34478)

CVE-2026-34479 (GCVE-0-2026-34479)

CVE-2026-34480 (GCVE-0-2026-34480)

CVE-2026-34481 (GCVE-0-2026-34481)

Tags

Sightings

Nomenclature