XML Layout Vulnerability in Apache Log4j Core by Apache
CVE-2026-34480

6.9MEDIUM

Key Information:

Vendor

Apache
Status
Apache Log4j Core
Vendor
CVE Published:
10 April 2026

What is CVE-2026-34480?

Apache Log4j Core's XmlLayout prior to version 2.25.4 is susceptible to a vulnerability where it fails to sanitize forbidden characters, leading to malformed XML outputs. This issue can result in either silent logging of invalid XML, which compatible systems may reject, or exceptions during logging in certain StAX implementations, thus preventing log events from being processed correctly. Upgrading to version 2.25.4 is recommended to avoid these issues by ensuring forbidden characters are properly sanitized.

Affected Version(s)

Apache Log4j Core 2.0-alpha1 < 2.25.4

Apache Log4j Core 3.0.0-alpha1 <= 3.0.0-beta3

References

https://github.com/apache/logging-log4j2/pull/4077
patch
https://logging.apache.org/security.html#CVE-2026-34480
vendor-advisory
https://logging.apache.org/cyclonedx/vdr.xml
vendor-advisory

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Ap4sh (Samy Medjahed) and Ethicxz (Eliott Laurie) (original reporters)
jabaltarik1 (independently)
.