Improper Encoding or Escaping of Output in Apache Log4j - CVE-2026-34480
Published: April 28, 2026
Vulnerability identifier: #VU128402
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-34480
CWE-ID: CWE-116
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Apache Foundation
Affected software:
Apache Log4j
Apache Log4j
Detailed vulnerability description
The vulnerability allows a remote attacker to cause log event loss.
The vulnerability exists due to improper output neutralization in XmlLayout when processing log messages or MDC values containing XML 1.0 forbidden characters. A remote attacker can supply crafted input containing forbidden characters to cause log event loss.
The impact depends on the StAX implementation in use: built-in JRE StAX may produce malformed XML that downstream parsers reject, while alternative implementations may throw an exception during the logging call so the event is delivered only to Log4j's internal status logger.
How to mitigate CVE-2026-34480
Install security update from vendor's website.