Lucene search
+L

2450 matches found

osv
osv
added 2026/04/10 6:31 p.m.4 views

GHSA-H383-GMXW-35V2 Apache Log4j 1 to Log4j 2 bridge: silent log event loss in Log4j1XmlLayout due to unescaped XML 1.0 forbidden characters

The Log4j1XmlLayout from the Apache Log4j 1-to-Log4j 2 bridge fails to escape characters forbidden by the XML 1.0 standard, producing malformed XML output. Conforming XML parsers are required to reject documents containing such characters with a fatal error, which may cause downstream log...

6.9CVSS5.8AI score0.00535EPSS
Exploits1References8
github
github
added 2026/04/10 6:31 p.m.9 views

Apache Log4j JSON Template Layout: Improper serialization of non-finite floating-point values in JsonTemplateLayout

Apache Log4j's JsonTemplateLayout, in versions up to and including 2.25.3, produces invalid JSON output when log events contain non-finite floating-point values NaN, Infinity, or -Infinity, which are prohibited by RFC 8259. This may cause downstream log processing systems to reject or fail to ind...

7.5CVSS5.8AI score0.00555EPSS
Exploits0References8Affected Software1
euvd
euvd
added 2026/04/10 6:31 p.m.4 views

EUVD-2026-21408

Apache Log4j Core's Rfc5424Layout https://logging.apache.org/log4j/2.x/manual/layouts.htmlRFC5424Layout , in versions 2.21.0 through 2.25.3, is vulnerable to log injection via CRLF sequences due to undocumented renames of security-relevant configuration attributes. Two distinct issues affect user...

6.9CVSS5.8AI score0.00831EPSS
Exploits0References7
vulnersosv
vulnersosv
added 2026/04/10 6:31 p.m.8 views

ch.cern:cerndb-sw-zkpolicy (=1.0.1-21), cloud.metaapi.sdk:metaapi-common-java (>=1.0.0 <=1.0.1) +258 more potentially affected by CVE-2026-34478 via org.apache.logging.log4j:log4j-core (>=3.0.0-beta1 <=3.0.0-beta3)

org.apache.logging.log4j:log4j-core MAVEN version =3.0.0-beta1, =1.0.0, =0.0.2, =00.00.03, =1.0.6, =1.0.7, =1.0.0, =2.0.21, =1.0, =1.0.2 - com.frostphyr:customappender =1.1.0 and more Source cves: CVE-2026-34478 Source advisory: OSV:GHSA-445C-VH5M-36RJ...

7.5CVSS6.5AI score0.00831EPSS
Exploits0
vulnersosv
vulnersosv
added 2026/04/10 6:31 p.m.12 views

africa.shuwari.sbt:sbt-js_2.12_1.0 (>=0.14.1 <=0.16.1), africa.shuwari.sbt:sbt-netbeans_2.12_1.0 (>=0.1.0 <=0.1.1) +21863 more potentially affected by CVE-2026-34480 via org.apache.logging.log4j:log4j-core (>=2.0-alpha1 <=2.25.3)

org.apache.logging.log4j:log4j-core MAVEN version =2.0-alpha1, =0.14.1, =0.1.0, =0.9.6, =0.12.0, =0.9.6, =0.9.6, =0.9.6, =0.9.6, =0.14.1, =0.9.6, =0.14.1, =4.4.0.0, =1.4.6, =1.4.6, =1.4.8 and more Source cves: CVE-2026-34480 Source advisory: OSV:GHSA-3PXV-7CMR-FJR4...

7.5CVSS5.7AI score0.0086EPSS
Exploits0
euvd
euvd
added 2026/04/10 6:31 p.m.4 views

EUVD-2026-21407

The fix for CVE-2025-68161 https://logging.apache.org/security.htmlCVE-2025-68161 was incomplete: it addressed hostname verification only when enabled via the log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual/systemproperties.htmllog4j2.sslVerifyHostName system property, but no...

6.3CVSS6.6AI score0.00743EPSS
Exploits1References6
vulnersosv
vulnersosv
added 2026/04/10 6:31 p.m.8 views

bg.codexio.ai:openai-api-examples (>=0.8.0.BETA <=0.9.0.BETA-JDK17), ch.cern:cerndb-sw-zkpolicy (=1.0.1-21) +307 more potentially affected by CVE-2026-34480 via org.apache.logging.log4j:log4j-core (>=3.0.0-alpha1 <=3.0.0-beta3)

org.apache.logging.log4j:log4j-core MAVEN version =3.0.0-alpha1, =0.8.0.BETA, =1.0.0, =0.0.2, =00.00.03, =1.0.6, =1.0.7, =1.0.0, =2.0.21, =1.0, =1.0.2 and more Source cves: CVE-2026-34480 Source advisory: OSV:GHSA-3PXV-7CMR-FJR4...

7.5CVSS5.4AI score0.0086EPSS
Exploits0
vulnersosv
vulnersosv
added 2026/04/10 6:31 p.m.11 views

africa.shuwari.sbt:sbt-js_2.12_1.0 (>=0.14.1 <=0.16.1), africa.shuwari.sbt:sbt-netbeans_2.12_1.0 (>=0.1.0 <=0.1.1) +19258 more potentially affected by CVE-2026-34477 via org.apache.logging.log4j:log4j-core (>=2.12.0 <=2.25.3)

org.apache.logging.log4j:log4j-core MAVEN version =2.12.0, =0.14.1, =0.1.0, =0.9.6, =0.12.0, =0.9.6, =0.9.6, =0.9.6, =0.9.6, =0.14.1, =0.9.6, =0.14.1, =4.4.0.1, =1.4.6, =1.4.6, =1.4.8 and more Source cves: CVE-2026-34477 Source advisory: OSV:GHSA-6HG6-V5C8-FPHQ...

6.3CVSS6.5AI score0.00395EPSS
Exploits0
vulnersosv
vulnersosv
added 2026/04/10 6:31 p.m.9 views

bg.codexio.ai:openai-api-examples (>=0.8.0.BETA <=0.9.0.BETA-JDK17), ch.cern:cerndb-sw-zkpolicy (=1.0.1-21) +307 more potentially affected by CVE-2026-34477 via org.apache.logging.log4j:log4j-core (>=3.0.0-alpha1 <=3.0.0-beta3)

org.apache.logging.log4j:log4j-core MAVEN version =3.0.0-alpha1, =0.8.0.BETA, =1.0.0, =0.0.2, =00.00.03, =1.0.6, =1.0.7, =1.0.0, =2.0.21, =1.0, =1.0.2 and more Source cves: CVE-2026-34477 Source advisory: OSV:GHSA-6HG6-V5C8-FPHQ...

6.3CVSS6.5AI score0.00395EPSS
Exploits0
osv
osv
added 2026/04/10 6:31 p.m.4 views

GHSA-3PXV-7CMR-FJR4 Apache Log4j Core: Silent log event loss in XmlLayout due to unescaped XML 1.0 forbidden characters

Apache Log4j Core's XmlLayout, in versions up to and including 2.25.3, fails to sanitize characters forbidden by the XML 1.0 specification, producing invalid XML output whenever a log message or MDC value contains such characters. The impact depends on the StAX implementation in use: JRE built-in...

6.9CVSS5.7AI score0.0086EPSS
Exploits0References8
osv
osv
added 2026/04/10 6:31 p.m.4 views

GHSA-6HG6-V5C8-FPHQ Apache Log4j Core: `verifyHostName` attribute silently ignored in TLS configuration

The fix for CVE-2025-68161 was incomplete: it addressed hostname verification only when enabled via the log4j2.sslVerifyHostName system property, but not when configured through the verifyHostName attribute of the element. Although the verifyHostName configuration attribute was introduced in Log4...

6.3CVSS5.8AI score0.00395EPSS
Exploits0References7
euvd
euvd
added 2026/04/10 6:31 p.m.12 views

EUVD-2026-21410

Apache Log4j Core's XmlLayout https://logging.apache.org/log4j/2.x/manual/layouts.htmlXmlLayout , in versions up to and including 2.25.3, fails to sanitize characters forbidden by the XML 1.0 specification https://www.w3.org/TR/xml/charsets producing invalid XML output whenever a log message or M...

6.9CVSS5.8AI score0.0086EPSS
Exploits0References7
osv
osv
added 2026/04/10 6:31 p.m.4 views

GHSA-445C-VH5M-36RJ Apache Log4j Core: log injection in `Rfc5424Layout` due to silent configuration incompatibility

Apache Log4j Core's Rfc5424Layout, in versions 2.21.0 through 2.25.3, is vulnerable to log injection via CRLF sequences due to undocumented renames of security-relevant configuration attributes. Two distinct issues affect users of stream-based syslog services who configure Rfc5424Layout directly:...

6.9CVSS5.8AI score0.00831EPSS
Exploits0References8
github
github
added 2026/04/10 6:31 p.m.20 views

Apache Log4j Core: `verifyHostName` attribute silently ignored in TLS configuration

The fix for CVE-2025-68161 was incomplete: it addressed hostname verification only when enabled via the log4j2.sslVerifyHostName system property, but not when configured through the verifyHostName attribute of the element. Although the verifyHostName configuration attribute was introduced in Log4...

6.3CVSS6.6AI score0.00743EPSS
Exploits1References7Affected Software1
github
github
added 2026/04/10 6:31 p.m.11 views

Apache Log4j Core: Silent log event loss in XmlLayout due to unescaped XML 1.0 forbidden characters

Apache Log4j Core's XmlLayout, in versions up to and including 2.25.3, fails to sanitize characters forbidden by the XML 1.0 specification, producing invalid XML output whenever a log message or MDC value contains such characters. The impact depends on the StAX implementation in use: JRE built-in...

7.5CVSS5.7AI score0.0086EPSS
Exploits0References8Affected Software1
vulnersosv
vulnersosv
added 2026/04/10 5:8 p.m.9 views

bg.codexio.ai:openai-api-examples (>=0.8.0.BETA <=0.9.0.BETA-JDK17), ch.cern:cerndb-sw-zkpolicy (=1.0.1-21) +307 more potentially affected by CVE-2026-34479 via org.apache.logging.log4j:log4j-core (>=3.0.0-alpha1 <=3.0.0-beta3)

org.apache.logging.log4j:log4j-core MAVEN version =3.0.0-alpha1, =0.8.0.BETA, =1.0.0, =0.0.2, =00.00.03, =1.0.6, =1.0.7, =1.0.0, =2.0.21, =1.0, =1.0.2 and more Source cves: CVE-2026-34479 Source advisory: SNYK:JAVA-ORGAPACHELOGGINGLOG4J-15967804...

7.5CVSS5.4AI score0.00535EPSS
Exploits1
vulnersosv
vulnersosv
added 2026/04/10 5:8 p.m.10 views

bg.codexio.ai:openai-api-examples (>=0.8.0.BETA <=0.9.0.BETA-JDK17), ch.cern:cerndb-sw-zkpolicy (=1.0.1-21) +307 more potentially affected by CVE-2026-34477 via org.apache.logging.log4j:log4j-core (>=3.0.0-alpha1 <=3.0.0-beta3)

org.apache.logging.log4j:log4j-core MAVEN version =3.0.0-alpha1, =0.8.0.BETA, =1.0.0, =0.0.2, =00.00.03, =1.0.6, =1.0.7, =1.0.0, =2.0.21, =1.0, =1.0.2 and more Source cves: CVE-2026-34477 Source advisory: SNYK:JAVA-ORGAPACHELOGGINGLOG4J-15967727...

6.3CVSS6.5AI score0.00395EPSS
Exploits0
vulnersosv
vulnersosv
added 2026/04/10 5:8 p.m.11 views

africa.shuwari.sbt:sbt-js_2.12_1.0 (>=0.14.1 <=0.16.1), africa.shuwari.sbt:sbt-netbeans_2.12_1.0 (>=0.1.0 <=0.1.1) +19258 more potentially affected by CVE-2026-34477 via org.apache.logging.log4j:log4j-core (>=2.12.0 <=2.25.3)

org.apache.logging.log4j:log4j-core MAVEN version =2.12.0, =0.14.1, =0.1.0, =0.9.6, =0.12.0, =0.9.6, =0.9.6, =0.9.6, =0.9.6, =0.14.1, =0.9.6, =0.14.1, =4.4.0.1, =1.4.6, =1.4.6, =1.4.8 and more Source cves: CVE-2026-34477 Source advisory: SNYK:JAVA-ORGAPACHELOGGINGLOG4J-15967727...

6.3CVSS6.5AI score0.00395EPSS
Exploits0
snyk
snyk
added 2026/04/10 5:8 p.m.5 views

Improper Validation of Certificate with Host Mismatch

Overview org.apache.logging.log4j:log4j-core is a logging library for Java. Affected versions of this package are vulnerable to Improper Validation of Certificate with Host Mismatch due to the lack of TLS hostname verification in the SocketAppender component when configured through the...

6.8CVSS6.6AI score0.00395EPSS
Exploits0References2
vulnersosv
vulnersosv
added 2026/04/10 5:6 p.m.11 views

org.apache.logging.log4j:log4j-layout-template-json-test (>=3.0.0-alpha1 <=3.0.0-beta2), software.airborne.kairo:kairo-alternative-money-formatters (=5.0.0) +29 more potentially affected by CVE-2026-34481 via org.apache.logging.log4j:log4j-layout-template-json (>=3.0.0-alpha1 <=3.0.0-beta3)

org.apache.logging.log4j:log4j-layout-template-json MAVEN version =3.0.0-alpha1, =3.0.0-alpha1, =3.0.0-beta2 - software.airborne.kairo:kairo-alternative-money-formatters =5.0.0 - software.airborne.kairo:kairo-clock-feature =5.0.0 - software.airborne.kairo:kairo-closeable =5.0.0 -...

7.5CVSS5.8AI score0.00555EPSS
Exploits0
Rows per page
Query Builder