CVE-2018-1285

CVE-2018-1285 affects Apache log4net up to version 2.0.9 (pre-2.0.10), where XML External Entity (XXE) processing is not disabled when parsing log4net configuration files, enabling XXE-based attacks in apps that accept attacker-controlled config. The connected IBM security bulletin confirms the v...

CVE-2026-40021

Apache Log4net before version 3.3.0 contains a vulnerability in XmlLayout and XmlLayoutSchemaLog4J where characters forbidden by XML 1.0 are not sanitized in MDC keys/values and the identity field. The issue causes a serialization exception and silent loss of the affected log event, which can be ...