org.apache.logging.log4j/log4j-core: Apache Log4j Core: Invalid XML output causes denial of service in logging

A flaw was found in Apache Log4j Core. The XmlLayout component, responsible for formatting log messages into XML, does not properly remove or replace characters that are not allowed in XML 1.0. When log messages or diagnostic information contain these forbidden characters, the resulting XML outpu...

Apache Log4j 2.0-alpha1 < 2.25.4 XmlLayout Invalid XML Output (CVE-2026-34480)

The version of Apache Log4j on the remote host is 2.0-alpha1 through 2.25.3. It is, therefore, affected by a vulnerability: - The XmlLayout fails to sanitize characters forbidden by the XML 1.0 specification, producing invalid XML output whenever a log message or MDC value contains such character...

SUSE CVE-2026-40023

Apache Log4cxx's XMLLayout https://logging.apache.org/log4cxx/1.7.0/classlog4cxx11xml11XMLLayout.html , in versions before 1.7.0, fails to sanitize characters forbidden by the XML 1.0 specification https://www.w3.org/TR/xml/charsets in log messages, NDC, and MDC property keys and values, producin...

EUVD-2026-21410

Apache Log4j Core's XmlLayout https://logging.apache.org/log4j/2.x/manual/layouts.htmlXmlLayout , in versions up to and including 2.25.3, fails to sanitize characters forbidden by the XML 1.0 specification https://www.w3.org/TR/xml/charsets producing invalid XML output whenever a log message or M...

DEBIAN-CVE-2026-40023

Apache Log4cxx's XMLLayout https://logging.apache.org/log4cxx/1.7.0/classlog4cxx11xml11XMLLayout.html , in versions before 1.7.0, fails to sanitize characters forbidden by the XML 1.0 specification https://www.w3.org/TR/xml/charsets in log messages, NDC, and MDC property keys and values, producin...

CVE-2026-40023

Apache Log4cxx's XMLLayout https://logging.apache.org/log4cxx/1.7.0/classlog4cxx11xml11XMLLayout.html , in versions before 1.7.0, fails to sanitize characters forbidden by the XML 1.0 specification https://www.w3.org/TR/xml/charsets in log messages, NDC, and MDC property keys and values, producin...

CVE-2026-34479

The Log4j1XmlLayout from the Apache Log4j 1-to-Log4j 2 bridge fails to escape characters forbidden by the XML 1.0 standard, producing malformed XML output. Conforming XML parsers are required to reject documents containing such characters with a fatal error, which may cause downstream log...

UBUNTU-CVE-2026-40023

Apache Log4cxx's XMLLayout https://logging.apache.org/log4cxx/1.7.0/classlog4cxx11xml11XMLLayout.html , in versions before 1.7.0, fails to sanitize characters forbidden by the XML 1.0 specification https://www.w3.org/TR/xml/charsets in log messages, NDC, and MDC property keys and values, producin...

UBUNTU-CVE-2026-34480

Apache Log4j Core's XmlLayout https://logging.apache.org/log4j/2.x/manual/layouts.htmlXmlLayout , in versions up to and including 2.25.3, fails to sanitize characters forbidden by the XML 1.0 specification https://www.w3.org/TR/xml/charsets producing invalid XML output whenever a log message or M...

CVE-2026-40023

Apache Log4cxx's XMLLayout https://logging.apache.org/log4cxx/1.7.0/classlog4cxx11xml11XMLLayout.html , in versions before 1.7.0, fails to sanitize characters forbidden by the XML 1.0 specification https://www.w3.org/TR/xml/charsets in log messages, NDC, and MDC property keys and values, producin...

PT-2026-31942

Name of the Vulnerable Software and Affected Versions Apache Log4j Core versions up to and including 2.25.3 Description Apache Log4j Core's XmlLayout fails to sanitize characters forbidden by the XML 1.0 specification, resulting in invalid XML output when log messages or MDC values contain such...

CVE-2025-66578

xmlseclibs is a library written in PHP for working with XML Encryption and Signatures. Versions 3.1.3 contain an authentication bypass vulnerability due to a flaw in the libxml2 canonicalization process during document transformation. When libxml2’s canonicalization is invoked on an invalid XML...

Uncaught Exception

Overview robrichards/xmlseclibs is a PHP library for XML Security. Affected versions of this package are vulnerable to Uncaught Exception in the form of improper handling of canonicalization failures. An attacker can bypass signature or digest validation by submitting specially crafted invalid XM...

PT-2025-49775

Name of the Vulnerable Software and Affected Versions ruby-saml versions through 1.12.4 Description The ruby-saml library, which handles SAML authorization on the client side, has a flaw that could allow an attacker to bypass authentication. This is due to how the library processes XML data using...

EUVD-2023-1731

Malicious code in bioql PyPI...

EUVD-2022-43601

Malicious code in bioql PyPI...

Cloud Backup "Inner SQL exception in the service provider infrastructure"

The error documented in this article can occur due to various reasons. This article specifically addresses a single scenario related to the underlying SQL database engine used by the Veeam Cloud Service Provider. The log snippet provided in the 'Cause' section offers context to help confirm wheth...

SUSE CVE-2023-34411

The xml-rs crate before 0.8.14 for Rust and Crab allows a denial of service panic via an invalid ! token such as !DOCTYPEs/%!A nesting in an XML document. The earliest affected version is 0.8.9...

Amazon Linux AMI : libxml2 (ALAS-2023-1743)

The version of libxml2 installed on the remote host is prior to 2.9.1-6.6.42. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS-2023-1743 advisory. parser.c in libxml2 before 2.9.5 mishandles parameter-entity references because the NEXTL macro calls the...

CVE-2023-28484

A NULL pointer dereference vulnerability was found in libxml2. This issue occurs when parsing invalid XML schemas...