Severity by source
CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:N/R:X/V:X/RE:M/U:Green
Local config/env access (AV:L, PR:H), Janino-on-classpath precondition raises complexity (AC:H), full code execution gives C:H/I:H, no availability impact described.
AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
Primary rating from Vendor (NCSC.ch).
CVSS VectorVendor: NCSC.ch
CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:N/R:X/V:X/RE:M/U:Green
Lifecycle Timeline
1DescriptionCVE.org
ACE vulnerability in conditional configuration file processing by QOS.CH logback-core up to and including version 1.5.34 in Java applications, allows an attacker to execute arbitrary code circumventing existing protections against CVE-2025-11226 by compromising an existing logback configuration file or by injecting an environment variable before program execution.
A successful attack requires the presence of Janino library to be present on the user's class path. In addition, the attacker must have write access to a configuration file. Alternatively, the attacker could inject a malicious environment variable pointing to a malicious configuration file. In both cases, the attack requires existing privilege.
Articles & Coverage 2
AnalysisAI
Arbitrary code execution in QOS.CH logback-core versions up to and including 1.5.34 allows a local attacker with existing privilege to run code in the context of any Java application that loads Logback when the Janino library is on the classpath. The flaw circumvents prior hardening for CVE-2025-11226 via conditional configuration file processing, and is triggered either by writing to an existing logback configuration file or by injecting an environment variable that points the process at a malicious configuration. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires three concrete prerequisites that meaningfully limit real-world risk: (1) the Janino compiler library must be present on the target JVM's classpath, since logback's conditional `<if>`/`<then>`/`<else>` processing only activates when Janino is loadable; (2) the attacker must already possess local privileges on the host sufficient to either obtain write access to a logback configuration file the application loads, or to set/inject an environment variable (such as `logback.configurationFile`) before the Java process starts; and (3) the target Java application must subsequently start or reload its logging configuration. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor CVSS 4.0 vector (AV:L/AC:L/AT:P/PR:H/UI:N, VC:H/VI:H/VA:N) and score of 7.0 honestly reflect that this is a local, privilege-required, configuration-dependent code execution rather than a remote RCE - the AT:P (attack requirements) captures the non-default Janino-on-classpath dependency. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A low-privileged service account on a Linux host running a Java application bundling logback-core 1.5.34 and Janino notices that /opt/app/conf/logback.xml is group-writable; the attacker rewrites the file to embed a Janino `<if>` expression that executes `Runtime.getRuntime().exec(...)` and waits for the next application restart or scheduled configuration reload, at which point their code runs as the application user. Alternatively, in a CI pipeline the attacker injects `LOGBACK_CONFIGURATION_FILE=/tmp/evil.xml` into the build environment to redirect the JVM at a malicious config and gain execution during the next test run. |
| Remediation | Upgrade logback-core to version 1.5.35 or later, the vendor-released patch announced at https://logback.qos.ch/news.html#1.5.35, and rebuild or redeploy any application that bundles a vulnerable copy (including transitive Spring Boot and other framework dependencies). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all systems using logback-core versions up to 1.5.34 and verify if Janino library is enabled on the classpath. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m
Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti
Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent
Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug
JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow
Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during
Same weakness CWE-20 – Improper Input Validation
View allVendor StatusVendor
SUSE
Severity: ModerateShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38691
GHSA-567r-vvh5-jjr8