What is the CVSS score of CVE-2025-11226?

CVE-2025-11226 has a CVSS 4.0 base score of 5.9 (Medium). CVSS vector: CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:P/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L/AU:N/RE:M/U:Green. EPSS exploitation probability: 0.1%.

Which versions of Java are affected by CVE-2025-11226?

Organizations using conditional configuration file processing by QOS.CH logback-core should be aware of moderate risk from CVE-2025-11226, a input validation vulnerability rated CVSS 5.9.. A patch is available.

How to fix or mitigate CVE-2025-11226?

Within 30 days: Identify affected systems running conditional configuration file processing by QOS.CH logback and apply vendor patches as part of regular patch cycle. Monitor vendor channels for patch availability.

Java CVE-2025-11226

EUVD-2025-32903 MEDIUM

Improper Input Validation (CWE-20)

2025-10-01 vulnerability@ncsc.ch

GHSA-25qh-j22f-pwp8

RCE Java Spring Debian Red Hat Suse

5.9

CVSS 4.0

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:P/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L/AU:N/RE:M/U:Green

Attack Vector

Local

Attack Complexity

Low

Privileges Required

High

User Interaction

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

EUVD ID Assigned

Mar 13, 2026 - 18:18 euvd

EUVD-2025-32903

Analysis Generated

Mar 13, 2026 - 18:18 vuln.today

CVE Published

Oct 01, 2025 - 08:15 nvd

MEDIUM 5.9

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

371 maven packages depend on ch.qos.logback:logback-core (44 direct, 327 indirect)

Ecosystem-wide dependent count for version 1.4.0.

DescriptionNVD

ACE vulnerability in conditional configuration file processing by QOS.CH logback-core up to and including version 1.5.18 in Java applications, allows an attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment variable before program execution.

A successful attack requires the presence of Janino library and Spring Framework to be present on the user's class path. In addition, the attacker must have write access to a configuration file. Alternatively, the attacker could inject a malicious environment variable pointing to a malicious configuration file. In both cases, the attack requires existing privilege.

AnalysisAI

A remote code execution vulnerability in conditional configuration file processing by QOS.CH logback-core (CVSS 5.9) that allows an attacker. Remediation should follow standard vulnerability management procedures.

Technical ContextAI

CWE-20 (Improper Input Validation). Affects conditional configuration file processing by QOS.CH logback-core.

RemediationAI

Monitor vendor channels for patch availability.

More from same product – last 7 days

CVE-2026-9277 HIGH This Week

8.1 May 22

Command injection in the shell-quote npm package allows attackers who can influence object-token inputs to inject arbitr

CVE-2026-9256 HIGH This Week

8.1 May 22

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers

CVE-2026-47269 HIGH This Week

7.4 May 27

Authentication-context bypass in pam_usb before 0.9.0 lets a person holding an enrolled USB device authenticate over SSH

CVE-2026-47271 MEDIUM This Month

5.1 May 27

pam_usb prior to 0.9.0 crashes under memory pressure due to assert()-based OOM guards in src/mem.c that are silently str

CVE-2026-45898 Awaiting Data

May 27

In the Linux kernel, the following vulnerability has been resolved: RDMA/iwcm: Fix workqueue list corruption by removin

Vendor StatusVendor

Debian

logback

Release	Status	Fixed Version	Urgency
bullseye	fixed	1:1.2.3-6	-
bookworm	fixed	1:1.2.11-3	-
forky, sid, trixie	fixed	1:1.2.11-6	-
(unstable)	not-affected	-	-

CVE-2025-11226 vulnerability details – vuln.today

Back