Improper Encoding or Escaping of Output in Apache log4cxx - CVE-2026-40023
Published: April 28, 2026
Vulnerability identifier: #VU128404
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-40023
CWE-ID: CWE-116
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Apache Foundation
Affected software:
Apache log4cxx
Apache log4cxx
Detailed vulnerability description
The vulnerability allows a remote attacker to suppress individual log records.
The vulnerability exists due to improper output neutralization in XMLLayout when processing logged data containing XML 1.0 forbidden characters. A remote attacker can inject crafted characters into log messages, NDC, or MDC property keys and values to suppress individual log records.
This can cause downstream log processing systems to reject invalid XML documents and fail to index affected records.
How to mitigate CVE-2026-40023
Install security update from vendor's website.