Skip to main content

Apache CVE-2026-34480

| EUVDEUVD-2026-21410 MEDIUM
Improper Encoding or Escaping of Output (CWE-116)
2026-04-10 apache GHSA-3pxv-7cmr-fjr4
6.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Red Hat
5.3 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
EUVD ID Assigned
Apr 10, 2026 - 16:00 euvd
EUVD-2026-21410
Analysis Generated
Apr 10, 2026 - 16:00 vuln.today
Patch released
Apr 10, 2026 - 16:00 nvd
Patch available
CVE Published
Apr 10, 2026 - 15:42 nvd
MEDIUM 6.9

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 4 maven packages depend on org.apache.logging.log4j:log4j-core (4 direct, 0 indirect)

Ecosystem-wide dependent count for version 2.0-alpha1.

DescriptionCVE.org

Apache Log4j Core's XmlLayout https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout , in versions up to and including 2.25.3, fails to sanitize characters forbidden by the XML 1.0 specification https://www.w3.org/TR/xml/#charsets producing invalid XML output whenever a log message or MDC value contains such characters.

The impact depends on the StAX implementation in use:

  • JRE built-in StAX: Forbidden characters are silently written to the output, producing malformed XML. Conforming parsers must reject such documents with a fatal error, which may cause downstream log-processing systems to drop the affected records.
  • Alternative StAX implementations (e.g., Woodstox https://github.com/FasterXML/woodstox , a transitive dependency of the Jackson XML Dataformat module): An exception is thrown during the logging call, and the log event is never delivered to its intended appender, only to Log4j's internal status logger.

Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue by sanitizing forbidden characters before XML output.

AnalysisAI

Apache Log4j Core's XmlLayout in versions up to 2.25.3 fails to sanitize XML-forbidden characters, producing malformed XML output when log messages or MDC values contain such characters. The impact varies by StAX implementation: JRE's built-in StAX silently writes invalid XML that conforming parsers reject, potentially causing downstream log-processing systems to drop records; alternative StAX implementations like Woodstox throw exceptions during logging calls, preventing event delivery to the intended appender. No public exploit code or active exploitation has been identified; this is a data integrity and log availability issue rather than a confidentiality or authentication bypass. Patch version 2.25.4 is available from Apache.

Technical ContextAI

Apache Log4j Core's XmlLayout component handles serialization of log events to XML format using the StAX (Streaming API for XML) interface. The XML 1.0 specification strictly defines allowed character ranges; characters outside these ranges (such as certain control characters and undefined Unicode sequences) are forbidden. Log4j's XmlLayout processes log message content and mapped diagnostic context (MDC) values-user-supplied or application-derived data-directly into XML output without first validating compliance with XML 1.0 character restrictions. When forbidden characters are present, the behavior depends on the underlying StAX implementation: the JRE's reference implementation tolerates them and writes malformed XML (violating the specification but continuing execution), whereas alternative implementations like Woodstox (a transitive dependency of Jackson XML Dataformat) enforce strict XML validation and raise exceptions. This is a character encoding and input sanitization issue (CWE-116: Improper Encoding or Escaping of Output).

RemediationAI

Vendor-released patch: Apache Log4j Core 2.25.4. Upgrade to version 2.25.4 or later, which implements proper sanitization of forbidden XML characters before XML output generation. For environments unable to upgrade immediately, use alternative layouts such as JsonLayout or PatternLayout instead of XmlLayout, provided downstream systems can accommodate the format change. Additionally, implement input validation or filtering at the application level to prevent forbidden characters from entering log messages or MDC values, though this is a defense-in-depth measure and not a substitute for patching. For patch details and verification, consult the official Apache Log4j security advisory at https://logging.apache.org/security.html#CVE-2026-34480 and the corresponding fix pull request at https://github.com/apache/logging-log4j2/pull/4077.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Module for Basesystem 15 SP7 Affected
SUSE Linux Enterprise Server 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Server for SAP Applications 15 SP7 Affected

Share

CVE-2026-34480 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy