Vulnerability in Apache Software Foundation Log4j Core

CVE-2026-34478

Apache Log4j Core's Rfc5424Layout https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424Layout , in versions 2.21.0 through 2.25.3, is vulnerable to log injection via CRLF sequences due to undocumented renames of security-releva…

EPSS: 0.000 (10.5th percentile) — read the EPSS interpretation.

Affected products

Apache Software Foundation Log4j Core — versions 2.21.0, 3.0.0-beta1

Weakness classification (CWE)

References

github.com/apache/logging-log4j2/pull/4074 (patch)
logging.apache.org/security.html (vendor-advisory)
logging.apache.org/cyclonedx/vdr.xml (vendor-advisory)
logging.apache.org/log4j/2.x/manual/layouts.html (related)
lists.apache.org/thread/3k1clr2l6vkdnl4cbhjrnt1nyjvb5gwt (vendor-advisory)