Skip to main content

Apache CVE-2026-34479

| EUVDEUVD-2026-21409 MEDIUM
Improper Encoding or Escaping of Output (CWE-116)
2026-04-10 apache GHSA-h383-gmxw-35v2
6.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Red Hat
5.3 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
EUVD ID Assigned
Apr 10, 2026 - 16:00 euvd
EUVD-2026-21409
Analysis Generated
Apr 10, 2026 - 16:00 vuln.today
Patch released
Apr 10, 2026 - 16:00 nvd
Patch available
CVE Published
Apr 10, 2026 - 15:41 nvd
MEDIUM 6.9

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 197 maven packages depend on org.apache.logging.log4j:log4j-1.2-api (174 direct, 23 indirect)

Ecosystem-wide dependent count for version 2.7.

DescriptionCVE.org

The Log4j1XmlLayout from the Apache Log4j 1-to-Log4j 2 bridge fails to escape characters forbidden by the XML 1.0 standard, producing malformed XML output. Conforming XML parsers are required to reject documents containing such characters with a fatal error, which may cause downstream log processing systems to drop or fail to index affected records.

Two groups of users are affected:

  • Those using Log4j1XmlLayout directly in a Log4j Core 2 configuration file.
  • Those using the Log4j 1 configuration compatibility layer with org.apache.log4j.xml.XMLLayout specified as the layout class.

Users are advised to upgrade to Apache Log4j 1-to-Log4j 2 bridge version 2.25.4, which corrects this issue.

Note: The Apache Log4j 1-to-Log4j 2 bridge is deprecated and will not be present in Log4j 3. Users are encouraged to consult the Log4j 1 to Log4j 2 migration guide https://logging.apache.org/log4j/2.x/migrate-from-log4j1.html , and specifically the section on eliminating reliance on the bridge.

AnalysisAI

Log4j1XmlLayout in Apache Log4j 1-to-Log4j 2 bridge fails to escape XML 1.0-forbidden characters, causing malformed XML output that conforming XML parsers reject with fatal errors. This impacts downstream log processing systems that may drop or fail to index affected log records, affecting organizations using either Log4j1XmlLayout directly in Log4j Core 2 configurations or the deprecated Log4j 1 compatibility layer with XMLLayout. While no active exploitation has been confirmed, the vulnerability has a notable EPSS score and affects information disclosure integrity. Vendor-released patch version 2.25.4 is available.

Technical ContextAI

The Log4j 1-to-Log4j 2 bridge (CPE: cpe:2.3:a:apache_software_foundation:apache_log4j_1_to_log4j_2_bridge) provides backward compatibility for legacy Log4j 1 configurations by adapting them to Log4j 2's architecture. Log4j1XmlLayout is the XML formatting component within this bridge. The vulnerability stems from improper input validation and encoding (CWE-116: Improper Encoding or Escaping of Output). When the layout encounters characters forbidden by the XML 1.0 specification (certain control characters and invalid Unicode sequences), it fails to sanitize them before writing to XML output. XML 1.0 parsers, per W3C standards, treat such characters as fatal errors, causing parsers to reject the entire document. This is particularly problematic in operational environments where log aggregation systems, security information and event management (SIEM) platforms, and compliance logging frameworks depend on valid XML for indexing, correlation, and archival.

RemediationAI

Vendor-released patch: Upgrade Apache Log4j 1-to-Log4j 2 bridge to version 2.25.4 or later. Organizations using Log4j Core 2 should update their Log4j 2 dependency to a version containing the patched bridge (version 2.25.4 or later). For long-term resilience, Apache strongly recommends migrating away from the deprecated Log4j 1-to-Log4j 2 bridge entirely by refactoring legacy Log4j 1 configurations to native Log4j 2 configurations; consult the migration guide at https://logging.apache.org/log4j/2.x/migrate-from-log4j1.html for detailed migration steps. Interim workaround: If immediate upgrade is not feasible, disable XML-based logging or switch to JSON, CSV, or plaintext layouts that do not require XML 1.0 conformance. Validate that downstream log processing systems can successfully ingest logs after patching. Full advisory details and discussion are available at https://lists.apache.org/thread/gd0hp6mj17rn3kj279vgy4p7kd4zz5on.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Module for Basesystem 15 SP7 Affected
SUSE Linux Enterprise Server 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Server for SAP Applications 15 SP7 Affected

Share

CVE-2026-34479 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy