CVE-2026-34479

Exploit

EPSS 0.17%
Veröffentlicht 10.04.2026 15:41:07
Zuletzt bearbeitet 06.05.2026 18:21:34
Quelle security@apache.org
CVE-Watchlists
Login
Unerledigt
Login

Apache Log4j 1 to Log4j 2 bridge: Silent log event loss in Log4j1XmlLayout due to unescaped XML 1.0 forbidden characters

The Log4j1XmlLayout from the Apache Log4j 1-to-Log4j 2 bridge fails to escape characters forbidden by the XML 1.0 standard, producing malformed XML output. Conforming XML parsers are required to reject documents containing such characters with a fatal error, which may cause downstream log processing systems to drop or fail to index affected records.

Two groups of users are affected:

  *  Those using Log4j1XmlLayout directly in a Log4j Core 2 configuration file.
  *  Those using the Log4j 1 configuration compatibility layer with org.apache.log4j.xml.XMLLayout specified as the layout class.


Users are advised to upgrade to Apache Log4j 1-to-Log4j 2 bridge version 2.25.4, which corrects this issue.

Note: The Apache Log4j 1-to-Log4j 2 bridge is deprecated and will not be present in Log4j 3. Users are encouraged to consult the  Log4j 1 to Log4j 2 migration guide https://logging.apache.org/log4j/2.x/migrate-from-log4j1.html , and specifically the section on eliminating reliance on the bridge.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 9

NVD 6 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Apache ≫ Log4j Version >= 2.7 < 2.25.4

Apache ≫ Log4j Version3.0.0 Updatealpha1

Apache ≫ Log4j Version3.0.0 Updatealpha1_rc1

Apache ≫ Log4j Version3.0.0 Updatealpha1_rc2

Apache ≫ Log4j Version3.0.0 Updatebeta1

Apache ≫ Log4j Version3.0.0 Updatebeta2

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.17%	0.378

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
security@apache.org	6.9	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-116 Improper Encoding or Escaping of Output

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

https://logging.apache.org/cyclonedx/vdr.xml

Vendor Advisory

https://github.com/apache/logging-log4j2/pull/4078

Patch

Exploit

Issue Tracking

https://logging.apache.org/security.html#CVE-2026-34479

Vendor Advisory

https://logging.apache.org/log4j/2.x/migrate-from-log4j1.html

Mitigation

https://lists.apache.org/thread/gd0hp6mj17rn3kj279vgy4p7kd4zz5on

Mailing List