ACE Vulnerability in logback-core Affects QOS.CH Java Applications
CVE-2026-1225

1.8LOW

Key Information:

Vendor: Qos.ch Sarl
Status: Logback-core
Vendor: CVE Published:; 22 January 2026

🔔 Create Qos.ch Sarl Vulnerability Alert

Badges

👾 Exploit Exists

What is CVE-2026-1225?

A vulnerability in the configuration file processing of QOS.CH's logback-core allows an attacker with write access to manipulate the logback configuration. This can lead to the instantiation of unauthorized Java classes, provided those classes are present on the user's class-path. Although the potentially malicious instance may be discarded after creation, the initial compromise poses a significant risk to application integrity and security.

Affected Version(s)

Logback-core Java 0.9.20 <= 1.5.24

Logback-core Java 1.5.25

References

https://logback.qos.ch/news.html#1.5.25

CVSS V4

Score:

1.8

Severity:

LOW

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Local

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

👾
Exploit known to exist
Jan 22, 2026
Vulnerability published
Jan 22, 2026
Vulnerability Reserved
Jan 20, 2026

Credit

https://www.code-intelligence.com/

Google Fuzz

CVE-2026-1225 Data

JSON