CVE-2026-34480

MEDIUM EPSS 53.9%
Published Apr 10, 20262mo ago · Modified Jun 17, 20262w ago
6.9 CVSS 4.0
Medium
Find Similar
Published Apr 10, 2026 2mo ago
Last Modified Jun 17, 2026 2w ago

Description

Apache Log4j Core's XmlLayout https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout , in versions up to and including 2.25.3, fails to sanitize characters forbidden by the XML 1.0 specification https://www.w3.org/TR/xml/#charsets producing invalid XML output whenever a log message or MDC value contains such characters. The impact depends on the StAX implementation in use: * JRE built-in StAX: Forbidden characters are silently written to the output, producing malformed XML. Conforming parsers must reject such documents with a fatal error, which may cause downstream log-processing systems to drop the affected records. * Alternative StAX implementations (e.g., Woodstox https://github.com/FasterXML/woodstox , a transitive dependency of the Jackson XML Dataformat module): An exception is thrown during the logging call, and the log event is never delivered to its intended appender, only to Log4j's internal status logger. Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue by sanitizing forbidden characters before XML output.

CVSS Details

Base Score
6.9
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
53.9% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-116

Affected Products 7

VendorProductVersionRange
apachelog4j*≥2.0  –  <2.25.4
apachelog4j3.0.0any
apachelog4j3.0.0any
apachelog4j3.0.0any
apachelog4j3.0.0any
apachelog4j3.0.0any
apachelog4j3.0.0any

References 6

  • openwall.com http://www.openwall.com/lists/oss-security/2026/04/10/9
    Mailing ListThird Party Advisory
  • github.com https://github.com/apache/logging-log4j2/pull/4077
    Issue TrackingPatch
  • lists.apache.org https://lists.apache.org/thread/5x0hcnng0chhghp6jgjdp3qmbbhfjzhb
    Mailing ListVendor Advisory
  • logging.apache.org https://logging.apache.org/cyclonedx/vdr.xml
    Product
  • logging.apache.org https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout
    Technical Description
  • logging.apache.org https://logging.apache.org/security.html#CVE-2026-34480
    Vendor Advisory

Remediation

  • github.com https://github.com/apache/logging-log4j2/pull/4077
    Issue TrackingPatch