Arbitrary Code Execution Vulnerability in QOS.CH Logback Core Product
CVE-2026-13006

7HIGH

Key Information:

Vendor: Qos.ch Sarl
Status: Logback-core
Vendor: CVE Published:; 24 June 2026

🔔 Create Qos.ch Sarl Vulnerability Alert

Badges

👾 Exploit Exists

What is CVE-2026-13006?

A vulnerability exists in QOS.CH logback-core, particularly in its handling of conditional configuration files in Java applications. This flaw allows attackers to execute arbitrary code by circumventing existing protections. The vulnerability requires the presence of the Janino library in the user's class path and the attacker must have write access to a configuration file. Alternatively, a malicious environment variable can be injected to point to a compromised configuration file, which also necessitates existing privileges. Proper securing of configuration files and access controls is crucial to mitigate this risk.

Affected Version(s)

Logback-core Java 0.9.20 <= 1.5.134

Logback-core Java 1.5.35

References

https://logback.qos.ch/news.html#1.5.35

CVSS V4

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

👾
Exploit known to exist
Jun 24, 2026
Vulnerability published
Jun 24, 2026
Vulnerability Reserved
Jun 23, 2026

Credit

IcySun (icysun@qq.com)

CVE-2026-13006 Data

JSON