Main Vulnerability Database Vulnerabilities #VU116684

#VU116684 Input validation error in Logback - CVE-2025-11226

Published: October 7, 2025

Vulnerability identifier: #VU116684

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2025-11226

CWE-ID: CWE-20

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Logback

Software vendor:
QOS.ch

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to insufficient validation of user-supplied input when parsing configuration file. A remote attacker can trick the victim into using a specially crafted configuration file and execute arbitrary code on the system.

Successful exploitation of the vulnerability requires presence of Janino library and Spring Framework on the user's class path.

Remediation

Install updates from vendor's website.

External links

https://logback.qos.ch/news.html#1.5.19

#VU116684 Input validation error in Logback - CVE-2025-11226

Description

Remediation

External links

Please verify you're human