Linux Distros Unpatched Vulnerability : CVE-2026-34478

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Apache Log4j Core's Rfc5424Layout https://logging.apache.org/log4j/2.x/manual/layouts.htmlRFC5424Layout , in versions 2.21.0 through 2.25.3, is vulnerable to lo...

Linux Distros Unpatched Vulnerability : CVE-2026-34481

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Apache Log4j's JsonTemplateLayout https://logging.apache.org/log4j/2.x/manual/json-template-layout.html , in versions up to and including 2.25.3, produces inval...

Linux Distros Unpatched Vulnerability : CVE-2026-34480

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Apache Log4j Core's XmlLayout https://logging.apache.org/log4j/2.x/manual/layouts.htmlXmlLayout , in versions up to and including 2.25.3, fails to sanitize...

Improper Output Handling

Apache Log4j Core is vulnerable to Improper Output Handling. The vulnerability is due to XmlLayout failing to sanitize characters forbidden by the XML 1.0 specification, allowing log messages or MDC values to produce malformed XML or trigger exceptions during logging, which can lead to dropped or...

Linux Distros Unpatched Vulnerability : CVE-2026-40021

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Apache Log4net's XmlLayout https://logging.apache.org/log4net/manual/configuration/layouts.htmllayout- list and XmlLayoutSchemaLog4J...

Apache Log4j JSON Template Layout: Improper serialization of non-finite floating-point values in JsonTemplateLayout

Apache Log4j's JsonTemplateLayout, in versions up to and including 2.25.3, produces invalid JSON output when log events contain non-finite floating-point values NaN, Infinity, or -Infinity, which are prohibited by RFC 8259. This may cause downstream log processing systems to reject or fail to ind...

Improper Encoding or Escaping of Output

Overview Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output in the XmlLayout and XmlLayoutSchemaLog4J layouts due to improper sanitisation of unescaped XML 1.0 forbidden characters in MDC property keys, values, or the identity field. An attacker can cause...

EUVD-2026-21488

Apache Log4net's XmlLayout https://logging.apache.org/log4net/manual/configuration/layouts.htmllayout-list and XmlLayoutSchemaLog4J https://logging.apache.org/log4net/manual/configuration/layouts.htmllayout-list , in versions before 3.3.0, fail to sanitize characters forbidden by the XML 1.0...

org.apache.logging.log4j:log4j-layout-template-json-test (>=3.0.0-alpha1 <=3.0.0-beta2), software.airborne.kairo:kairo-alternative-money-formatters (=5.0.0) +29 more potentially affected by CVE-2026-34481 via org.apache.logging.log4j:log4j-layout-template-json (>=3.0.0-alpha1 <=3.0.0-beta3)

org.apache.logging.log4j:log4j-layout-template-json MAVEN version =3.0.0-alpha1, =3.0.0-alpha1, =3.0.0-beta2 - software.airborne.kairo:kairo-alternative-money-formatters =5.0.0 - software.airborne.kairo:kairo-clock-feature =5.0.0 - software.airborne.kairo:kairo-closeable =5.0.0 -...

EUVD-2026-21409

The Log4j1XmlLayout from the Apache Log4j 1-to-Log4j 2 bridge fails to escape characters forbidden by the XML 1.0 standard, producing malformed XML output. Conforming XML parsers are required to reject documents containing such characters with a fatal error, which may cause downstream log...

GHSA-W35J-PV5H-Q9Q9 Apache Log4j JSON Template Layout: Improper serialization of non-finite floating-point values in JsonTemplateLayout

Apache Log4j's JsonTemplateLayout, in versions up to and including 2.25.3, produces invalid JSON output when log events contain non-finite floating-point values NaN, Infinity, or -Infinity, which are prohibited by RFC 8259. This may cause downstream log processing systems to reject or fail to ind...

EUVD-2026-21412

Apache Log4j's JsonTemplateLayout https://logging.apache.org/log4j/2.x/manual/json-template-layout.html , in versions up to and including 2.25.3, produces invalid JSON output when log events contain non-finite floating-point values NaN, Infinity, or -Infinity, which are prohibited by RFC 8259. Th...

GHSA-H383-GMXW-35V2 Apache Log4j 1 to Log4j 2 bridge: silent log event loss in Log4j1XmlLayout due to unescaped XML 1.0 forbidden characters

The Log4j1XmlLayout from the Apache Log4j 1-to-Log4j 2 bridge fails to escape characters forbidden by the XML 1.0 standard, producing malformed XML output. Conforming XML parsers are required to reject documents containing such characters with a fatal error, which may cause downstream log...

GHSA-4F7C-PMJV-C25W Apache Log4net: Silent log event loss in XmlLayout and XmlLayoutSchemaLog4J due to unescaped XML 1.0 forbidden characters

Apache Log4net's XmlLayout https://logging.apache.org/log4net/manual/configuration/layouts.htmllayout-list and XmlLayoutSchemaLog4J https://logging.apache.org/log4net/manual/configuration/layouts.htmllayout-list , in versions before 3.3.0, fail to sanitize characters forbidden by the XML 1.0...

EUVD-2026-21408

Apache Log4j Core's Rfc5424Layout https://logging.apache.org/log4j/2.x/manual/layouts.htmlRFC5424Layout , in versions 2.21.0 through 2.25.3, is vulnerable to log injection via CRLF sequences due to undocumented renames of security-relevant configuration attributes. Two distinct issues affect user...

EUVD-2026-21410

Apache Log4j Core's XmlLayout https://logging.apache.org/log4j/2.x/manual/layouts.htmlXmlLayout , in versions up to and including 2.25.3, fails to sanitize characters forbidden by the XML 1.0 specification https://www.w3.org/TR/xml/charsets producing invalid XML output whenever a log message or M...

Apache Log4j Core: log injection in `Rfc5424Layout` due to silent configuration incompatibility

Apache Log4j Core's Rfc5424Layout, in versions 2.21.0 through 2.25.3, is vulnerable to log injection via CRLF sequences due to undocumented renames of security-relevant configuration attributes. Two distinct issues affect users of stream-based syslog services who configure Rfc5424Layout directly:...

Improper Encoding or Escaping of Output

Overview Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output in the XMLLayout component. An attacker can cause log records to be silently dropped or fail to be indexed by injecting XML 1.0 forbidden characters into logged data, which results in invalid XML...

org.apache.logging.log4j:log4j-layout-template-json-test (>=3.0.0-alpha1 <=3.0.0-beta2), software.airborne.kairo:kairo-alternative-money-formatters (=5.0.0) +29 more potentially affected by CVE-2026-34481 via org.apache.logging.log4j:log4j-layout-template-json (>=3.0.0-alpha1 <=3.0.0-beta3)

org.apache.logging.log4j:log4j-layout-template-json MAVEN version =3.0.0-alpha1, =3.0.0-alpha1, =3.0.0-beta2 - software.airborne.kairo:kairo-alternative-money-formatters =5.0.0 - software.airborne.kairo:kairo-clock-feature =5.0.0 - software.airborne.kairo:kairo-closeable =5.0.0 -...

ai.catboost:catboost-spark_4.0_2.13 (=1.2.10), ai.catboost:catboost-spark_4.1_2.13 (=1.2.10) +893 more potentially affected by CVE-2026-34481 via org.apache.logging.log4j:log4j-layout-template-json (>=2.14.0 <=2.25.3)

org.apache.logging.log4j:log4j-layout-template-json MAVEN version =2.14.0, =9.0.0, =9.0.0, =9.0.0, =9.0.0, =9.0.0, =2.0.14-spark-4.0, =4.43.0, =4.48.0 - com.azure.cosmos.spark:azure-cosmos-spark4-12-13 =4.48.0 and more Source cves: CVE-2026-34481 Source advisory:...