Improper Encoding or Escaping of Output in Apache Log4j - CVE-2026-34479
Published: April 28, 2026
Vulnerability identifier: #VU128401
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-34479
CWE-ID: CWE-116
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Apache Foundation
Affected software:
Apache Log4j
Apache Log4j
Detailed vulnerability description
The vulnerability allows a remote attacker to cause downstream log processing systems to drop or fail to index affected records.
The vulnerability exists due to improper output neutralization in Log4j1XmlLayout when producing XML log output containing characters forbidden by the XML 1.0 standard. A remote attacker can cause such characters to be included in logged data to cause downstream log processing systems to drop or fail to index affected records.
The issue affects configurations using Log4j1XmlLayout directly in a Log4j Core 2 configuration file or through the Log4j 1 configuration compatibility layer with org.apache.log4j.xml.XMLLayout specified as the layout class.
How to mitigate CVE-2026-34479
Install security update from vendor's website.