Skip to main content

Logback Core EUVDEUVD-2026-38691

| CVE-2026-13006 HIGH
Improper Input Validation (CWE-20)
2026-06-24 NCSC.ch GHSA-567r-vvh5-jjr8
7.0
CVSS 4.0 · Vendor: NCSC.ch
Share

Severity by source

Vendor (NCSC.ch) PRIMARY
7.0 HIGH
CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:N/R:X/V:X/RE:M/U:Green
vuln.today AI
5.7 MEDIUM

Local config/env access (AV:L, PR:H), Janino-on-classpath precondition raises complexity (AC:H), full code execution gives C:H/I:H, no availability impact described.

3.1 AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N
4.0 AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
SUSE
6.0 MEDIUM
AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
Red Hat
6.0 MEDIUM
qualitative

Primary rating from Vendor (NCSC.ch).

CVSS VectorVendor: NCSC.ch

CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:N/R:X/V:X/RE:M/U:Green
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
P

Lifecycle Timeline

1
Analysis Generated
Jun 24, 2026 - 06:53 vuln.today

DescriptionCVE.org

ACE vulnerability in conditional configuration file processing by QOS.CH logback-core up to and including version 1.5.34 in Java applications, allows an attacker to execute arbitrary code circumventing existing protections against CVE-2025-11226 by compromising an existing logback configuration file or by injecting an environment variable before program execution.

A successful attack requires the presence of Janino library to be present on the user's class path. In addition, the attacker must  have write access to a configuration file. Alternatively, the attacker could inject a malicious environment variable pointing to a malicious configuration file. In both cases, the attack requires existing privilege.

AnalysisAI

Arbitrary code execution in QOS.CH logback-core versions up to and including 1.5.34 allows a local attacker with existing privilege to run code in the context of any Java application that loads Logback when the Janino library is on the classpath. The flaw circumvents prior hardening for CVE-2025-11226 via conditional configuration file processing, and is triggered either by writing to an existing logback configuration file or by injecting an environment variable that points the process at a malicious configuration. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local foothold on Java host
Delivery
Identify logback-core ≤1.5.34 with Janino on classpath
Exploit
Write malicious logback.xml or inject configurationFile env var
Execution
Trigger application start or config reload
Persist
Janino compiles attacker expression
Impact
Arbitrary code executes as application user

Vulnerability AssessmentAI

Exploitation Exploitation requires three concrete prerequisites that meaningfully limit real-world risk: (1) the Janino compiler library must be present on the target JVM's classpath, since logback's conditional `<if>`/`<then>`/`<else>` processing only activates when Janino is loadable; (2) the attacker must already possess local privileges on the host sufficient to either obtain write access to a logback configuration file the application loads, or to set/inject an environment variable (such as `logback.configurationFile`) before the Java process starts; and (3) the target Java application must subsequently start or reload its logging configuration. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor CVSS 4.0 vector (AV:L/AC:L/AT:P/PR:H/UI:N, VC:H/VI:H/VA:N) and score of 7.0 honestly reflect that this is a local, privilege-required, configuration-dependent code execution rather than a remote RCE - the AT:P (attack requirements) captures the non-default Janino-on-classpath dependency. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A low-privileged service account on a Linux host running a Java application bundling logback-core 1.5.34 and Janino notices that /opt/app/conf/logback.xml is group-writable; the attacker rewrites the file to embed a Janino `<if>` expression that executes `Runtime.getRuntime().exec(...)` and waits for the next application restart or scheduled configuration reload, at which point their code runs as the application user. Alternatively, in a CI pipeline the attacker injects `LOGBACK_CONFIGURATION_FILE=/tmp/evil.xml` into the build environment to redirect the JVM at a malicious config and gain execution during the next test run.
Remediation Upgrade logback-core to version 1.5.35 or later, the vendor-released patch announced at https://logback.qos.ch/news.html#1.5.35, and rebuild or redeploy any application that bundles a vulnerable copy (including transitive Spring Boot and other framework dependencies). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems using logback-core versions up to 1.5.34 and verify if Janino library is enabled on the classpath. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Java

View all
CVE-2012-4681 CRITICAL POC
9.8 Aug 28

Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m

CVE-2015-7450 CRITICAL POC
9.8 Jan 02

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti

CVE-2013-2465 CRITICAL POC
9.8 Jun 18

Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent

CVE-2011-3544 CRITICAL POC
9.8 Oct 19

Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug

CVE-2010-1871 HIGH POC
8.8 Aug 05

JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to

CVE-2012-1723 CRITICAL POC
9.8 Jun 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up

CVE-2013-0422 CRITICAL POC
9.8 Jan 10

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using

CVE-2012-0507 CRITICAL POC
9.8 Jun 07

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up

CVE-2015-4852 CRITICAL POC
9.8 Nov 18

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers

CVE-2012-5076 CRITICAL POC
9.8 Oct 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow

CVE-2017-3066 CRITICAL POC
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla

CVE-2012-0391 CRITICAL POC
9.8 Jan 08

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during

Vendor StatusVendor

SUSE

Severity: Moderate

Share

EUVD-2026-38691 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy