Main Vulnerability Database Vulnerabilities #VU116684

Input validation error in Logback - CVE-2025-11226

Published: October 7, 2025

Vulnerability identifier: #VU116684

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2025-11226

CWE-ID: CWE-20

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: QOS.ch

Affected software:
Logback

Detailed vulnerability description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to insufficient validation of user-supplied input when parsing configuration file. A remote attacker can trick the victim into using a specially crafted configuration file and execute arbitrary code on the system.

Successful exploitation of the vulnerability requires presence of Janino library and Spring Framework on the user's class path.

How to mitigate CVE-2025-11226

Install updates from vendor's website.

Sources

https://logback.qos.ch/news.html#1.5.19

Input validation error in Logback - CVE-2025-11226

Detailed vulnerability description

How to mitigate CVE-2025-11226

Sources

Please verify you're human