Skip to main content

Apache Log4J Api

1 CVEs product

Monthly

CVE-2026-49844 MEDIUM PATCH This Month

Malformed JSON output in Apache Log4j API versions 2.13.1-2.25.4 and 2.26.0 allows a remote attacker who can inject non-finite floating-point values (NaN, Infinity, -Infinity) into a logged MapMessage to corrupt downstream log records and disrupt log ingestion pipelines. This is an incomplete fix follow-on to CVE-2026-34481: the prior patch left code paths in MapMessage.asJson() and MapMessage.getFormattedMessage(["JSON"]) that still emit bare IEEE 754 non-finite tokens prohibited by RFC 8259. No public exploit or active exploitation (CISA KEV) has been identified; the CVSS 4.0 score of 6.3 reflects limited subsequent-system integrity impact rather than direct host compromise.

Information Disclosure Apache Apache Log4J Api
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.8%
EPSS 1% CVSS 6.3
MEDIUM PATCH This Month

Malformed JSON output in Apache Log4j API versions 2.13.1-2.25.4 and 2.26.0 allows a remote attacker who can inject non-finite floating-point values (NaN, Infinity, -Infinity) into a logged MapMessage to corrupt downstream log records and disrupt log ingestion pipelines. This is an incomplete fix follow-on to CVE-2026-34481: the prior patch left code paths in MapMessage.asJson() and MapMessage.getFormattedMessage(["JSON"]) that still emit bare IEEE 754 non-finite tokens prohibited by RFC 8259. No public exploit or active exploitation (CISA KEV) has been identified; the CVSS 4.0 score of 6.3 reflects limited subsequent-system integrity impact rather than direct host compromise.

Information Disclosure Apache Apache Log4J Api
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy