CVE-2026-34480

🗓️ 10 Apr 2026 15:42:03Reported by apacheType

CVE-2026-34480: Log4j Core XmlLayout does not sanitize XML 1.0 forbidden chars.

Reporter	Title	Published	Views	Family All 124
IBM Security Bulletins	Security Bulletin: There is a vulnerability in log4j-core-2.25.3.jar used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2026-34477, CVE-2026-34478, CVE-2026-34480)	29 May 202609:54	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple Vulnerabilities in Apache Log4j Core shipped in Tivoli Netcool/OMNIbus	29 May 202612:15	–	ibm
IBM Security Bulletins	Security Bulletin: There is a vulnerability in log4j-core-2.25.3.jar used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2026-34477, CVE-2026-34478, CVE-2026-34480)	29 May 202609:56	–	ibm
IBM Security Bulletins	Security Bulletin: Due to use of log4j-core-2.25.3.jar, IBM Sterling Connect:Direct Web Services is vulnerable to log injection via CRLF sequences.	3 Jun 202604:27	–	ibm
IBM Security Bulletins	Security Bulletin: There is a vulnerability in log4j-core-2.25.3.jar used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2026-34480 ,CVE-2026-34477, CVE-2026-34478, CVE-2026-34479)	29 May 202608:56	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple Vulnerabilities in watsonx.data	9 May 202608:59	–	ibm
IBM Security Bulletins	Security Bulletin: IBM SPSS Modeler is affected by multiple vulnerabilities in Apache Log4j	27 May 202617:36	–	ibm
IBM Security Bulletins	Security Bulletin: The Apache Log4J 2 package that is shipped with IBM ApplinX is vulnerable to multiple vulnerabilities (CVE-2026-34480, CVE-2026-34477, CVE-2026-34478, CVE-2026-34479).	11 Jun 202621:17	–	ibm
IBM Security Bulletins	Security Bulletin: IBM App Connect for Manufacturing is vulnerable to multiple vulnerabilities due to Apache Log4j and Bouncy Castle.	11 May 202606:59	–	ibm
IBM Security Bulletins	Security Bulletin: IBM App Connect for Healthcare is vulnerable to multiple vulnerabilities due to Apache Log4j and Apache Neethi	8 Jun 202611:43	–	ibm

NVD

Vulners

Node

apache log4jRange2.0–2.25.4

apache log4jMatch3.0.0alpha1

apache log4jMatch3.0.0alpha1_rc1

apache log4jMatch3.0.0alpha1_rc2

apache log4jMatch3.0.0beta1

apache log4jMatch3.0.0beta2

apache log4jMatch3.0.0beta3

[
  {
    "collectionURL": "https://repo.maven.apache.org/maven2",
    "cpes": [
      "cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*"
    ],
    "defaultStatus": "unaffected",
    "packageName": "org.apache.logging.log4j:log4j-core",
    "packageURL": "pkg:maven/org.apache.logging.log4j/log4j-core",
    "product": "Apache Log4j Core",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThan": "2.25.4",
        "status": "affected",
        "version": "2.0-alpha1",
        "versionType": "maven"
      },
      {
        "lessThanOrEqual": "3.0.0-beta3",
        "status": "affected",
        "version": "3.0.0-alpha1",
        "versionType": "maven"
      }
    ]
  }
]

Source	Link
logging	www.logging.apache.org/log4j/2.x/manual/layouts.html
logging	www.logging.apache.org/security.html
github	www.github.com/apache/logging-log4j2/pull/4077
logging	www.logging.apache.org/cyclonedx/vdr.xml
lists	www.lists.apache.org/thread/5x0hcnng0chhghp6jgjdp3qmbbhfjzhb
openwall	www.openwall.com/lists/oss-security/2026/04/10/9

24 Apr 2026 18:21Current

5.8Medium risk

Vulners AI Score5.8

CVSS 3.17.5

CVSS 46.9

EPSS0.00034

SSVC

CWE-116