CVE-2026-34478

🗓️ 10 Apr 2026 15:40:17Reported by apacheType

Log4j Core Rfc5424Layout up to 2.25.3 allows CRLF injection from silent renames; upgrade to 2.25.4.

Reporter	Title	Published	Views	Family All 91
IBM Security Bulletins	Security Bulletin: Multiple Vulnerabilities in IBM Tivoli Netcool/OMNIbus_GUI	26 May 202614:03	–	ibm
IBM Security Bulletins	Security Bulletin: There is a vulnerability in log4j-core-2.25.3.jar used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2026-34477, CVE-2026-34478, CVE-2026-34480)	29 May 202609:54	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple Vulnerabilities in Apache Log4j Core shipped in Tivoli Netcool/OMNIbus	29 May 202612:15	–	ibm
IBM Security Bulletins	Security Bulletin: There is a vulnerability in log4j-core-2.25.3.jar used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2026-34477, CVE-2026-34478, CVE-2026-34480)	29 May 202609:56	–	ibm
IBM Security Bulletins	Security Bulletin: Due to use of log4j-core-2.25.3.jar, IBM Sterling Connect:Direct Web Services is vulnerable to log injection via CRLF sequences.	3 Jun 202604:27	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities in IBM Tivoli Network Configuration Manager IP Edition (ITNCM)	18 Apr 202602:39	–	ibm
IBM Security Bulletins	Security Bulletin: There is a vulnerability in log4j-core-2.25.3.jar used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2026-34480 ,CVE-2026-34477, CVE-2026-34478, CVE-2026-34479)	29 May 202608:56	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple Vulnerabilities in watsonx.data	9 May 202608:59	–	ibm
IBM Security Bulletins	Security Bulletin: IBM App Connect for Manufacturing is vulnerable to multiple vulnerabilities due to Apache Log4j and Bouncy Castle.	11 May 202606:59	–	ibm
IBM Security Bulletins	Security Bulletin: IBM App Connect Enterprise and IBM Integration Bus for z/OS are vulnerable to multiple vulnerabilities due to Apache Log4j ( CVE-2026-34477, CVE-2026-34478, CVE-2026-34479 & CVE-2026-34480 )	22 May 202614:52	–	ibm

NVD

Vulners

Node

apache log4jRange2.21.0–2.25.4

apache log4jMatch3.0.0beta1

apache log4jMatch3.0.0beta2

apache log4jMatch3.0.0beta3

[
  {
    "collectionURL": "https://repo.maven.apache.org/maven2",
    "cpes": [
      "cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*"
    ],
    "defaultStatus": "unaffected",
    "packageName": "org.apache.logging.log4j:log4j-core",
    "packageURL": "pkg:maven/org.apache.logging.log4j/log4j-core",
    "product": "Apache Log4j Core",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThan": "2.25.4",
        "status": "affected",
        "version": "2.21.0",
        "versionType": "maven"
      },
      {
        "lessThanOrEqual": "3.0.0-beta3",
        "status": "affected",
        "version": "3.0.0-beta1",
        "versionType": "maven"
      }
    ]
  }
]

Source	Link
logging	www.logging.apache.org/log4j/2.x/manual/layouts.html
logging	www.logging.apache.org/security.html
logging	www.logging.apache.org/cyclonedx/vdr.xml
github	www.github.com/apache/logging-log4j2/pull/4074
lists	www.lists.apache.org/thread/3k1clr2l6vkdnl4cbhjrnt1nyjvb5gwt
openwall	www.openwall.com/lists/oss-security/2026/04/10/7

24 Apr 2026 18:10Current

5.8Medium risk

Vulners AI Score5.8

CVSS 3.17.5

CVSS 46.9

EPSS0.00034

SSVC