CVE-2026-34479 Apache Log4j 1 to Log4j 2 bridge: Silent log event loss in Log4j1XmlLayout due to unescaped XML 1.0 forbidden characters

The Log4j1XmlLayout from the Apache Log4j 1-to-Log4j 2 bridge fails to escape characters forbidden by the XML 1.0 standard, producing malformed XML output. Conforming XML parsers are required to reject documents containing such characters with a fatal error, which may cause downstream log...

CVE-2026-34479 Apache Log4j 1 to Log4j 2 bridge: Silent log event loss in Log4j1XmlLayout due to unescaped XML 1.0 forbidden characters

The Log4j1XmlLayout from the Apache Log4j 1-to-Log4j 2 bridge fails to escape characters forbidden by the XML 1.0 standard, producing malformed XML output. Conforming XML parsers are required to reject documents containing such characters with a fatal error, which may cause downstream log...

GHSA-H27X-RFFW-24P4 vulnerabilities

Vulnerabilities for packages: kube-logging-operator, ruby3.4-fluentd-kubernetes-daemonset, ruby3.3-fluentd-kubernetes-daemonset, cinc-auditor, logstash, ruby3.2-fluentd-kubernetes-daemonset, kube-fluentd-operator, ruby4.0-fluentd-kubernetes-daemonset...

CVE-2026-35611 vulnerabilities

Vulnerabilities for packages: kube-logging-operator, ruby3.4-fluentd-kubernetes-daemonset, ruby3.3-fluentd-kubernetes-daemonset, cinc-auditor, logstash, ruby3.2-fluentd-kubernetes-daemonset, kube-fluentd-operator, ruby4.0-fluentd-kubernetes-daemonset...

CVE-2026-35611 vulnerabilities

Vulnerabilities for packages: cinc-auditor, gitlab-rails-ce, ruby3.2-fluentd-kubernetes-daemonset, ruby3.3-fluentd-kubernetes-daemonset, ruby3.4-fluentd-kubernetes-daemonset, kube-logging-operator, ruby4.0-fluentd-kubernetes-daemonset, logstash, gitlab-rails-ce-fips, kube-fluentd-operator...

GHSA-H27X-RFFW-24P4 vulnerabilities

Vulnerabilities for packages: cinc-auditor, gitlab-rails-ce, ruby3.2-fluentd-kubernetes-daemonset, ruby3.3-fluentd-kubernetes-daemonset, ruby3.4-fluentd-kubernetes-daemonset, kube-logging-operator, ruby4.0-fluentd-kubernetes-daemonset, logstash, gitlab-rails-ce-fips, kube-fluentd-operator...

PT-2026-31939

Name of the Vulnerable Software and Affected Versions Apache Log4j Core versions 2.12.0 through 2.25.3 Description A flaw exists where hostname verification is ignored when configured through the verifyHostName attribute of the '' element. This occurs even if the attribute is explicitly set,...

Insertion of Sensitive Information into Log File

Overview Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File in the form of Kubernetes bearer tokens being printed in logs of the cloud membership for clustering module. Remediation Upgrade org.apache.tomcat:tomcat-tribes to version 9.0.117, 10.1.5...

RUSTSEC-2026-0097 Rand is unsound with a custom logger using `rand::rng()`

It has been reported by @lopopolo that the rand library is unsound i.e. that safe code using the public API can cause Undefined Behaviour when all the following conditions are met: - The log and threadrng features are enabled - A custom logger is defined - The custom logger accesses rand::rng...

Rand is unsound with a custom logger using `rand::rng()`

It has been reported by @lopopolo that the rand library is unsound i.e. that safe code using the public API can cause Undefined Behaviour when all the following conditions are met: - The log and threadrng features are enabled - A custom logger is defined - The custom logger accesses rand::rng...

CVE-2026-4901

Hydrosystem Control System saves sensitive information into a log file. Critically, user credentials are logged allowing the attacker to obtain further authorized access into the system. Combined with vulnerability CVE-2026-34184, these sensitive information could be accessed by an unauthorized...

Your Agent Is Mine: Measuring Malicious Intermediary Attacks on the LLM Supply Chain

Large language model LLM agents increasingly rely on third-party API routers to dispatch tool-calling requests across multiple upstream providers. These routers operate as application-layer proxies with full plaintext access to every in-flight JSON payload, yet no provider enforces cryptographic...

Malicious code in gprofiler-logging (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 f9db75962c82806edd773390d37cc66b2fc0aee51a334a08ec938a011e5f8aeb Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose. --- Category: PROBABLYPENTES...

Important: Red Hat Security Advisory: Logging for Red Hat OpenShift - 6.0.14

Logging for Red Hat OpenShift - 6.0.14 Red Hat OpenShift Logging 6.0.14 is a cluster-wide logging solution for OpenShift that collects and manages applications, infrastructure, and audit logs...

Security Bulletin: Log Injection Vulnerability in orydolphin/flask-cors (Debug Logging) affects watsonx.data

Summary A vulnerability in orydolphin/flask-cors allows attackers to inject malicious log entries when debug logging is enabled. By sending specially crafted requests containing CRLF sequences, an attacker can corrupt or forge log entries, potentially obscuring other attacks or disrupting log...

Insertion of Sensitive Information into Log File

Overview Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File in the logging process when verbose logging is enabled and per-node BGP peer passwords are configured via node annotations. An attacker can obtain sensitive credential information by...

kube-router: BGP Peer Passwords Exposed in Logs at Verbose Logging Level

Summary When kube-router is configured with per-node BGP peer passwords using the kube-router.io/peer.passwords node annotation, and verbose logging is enabled --v=2 or higher, the raw Kubernetes node annotation map is logged verbatim — including the base64-encoded BGP MD5 passwords. Anyone with...

CVE-2026-35171

Kedro is a toolbox for production-ready data science. Prior to 1.3.0, Kedro allows the logging configuration file path to be set via the KEDROLOGGINGCONFIG environment variable and loads it without validation. The logging configuration schema supports the special key, which enables arbitrary...

CVE-2026-31789

Issue summary: Converting an excessively large OCTET STRING value to a hexadecimal string leads to a heap buffer overflow on 32 bit platforms. Impact summary: A heap buffer overflow may lead to a crash or possibly an attacker controlled code execution or other undefined behavior. If an attacker c...

Logging of Excessive Data

Overview pocketmine/pocketmine-mp is a highly customisable, open source server software for Minecraft: Bedrock Edition written in PHP Affected versions of this package are vulnerable to Logging of Excessive Data through the processing of unexpected properties in the clientData of the LoginPacket...