Vulnerability in Apache Software Foundation Log4j Core

CVE-2026-34480

Apache Log4j Core's XmlLayout https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout , in versions up to and including 2.25.3, fails to sanitize characters forbidden by the XML 1.0 specification https://www.w3.org/TR/xml/#cha…

EPSS: 0.000 (10.5th percentile) — read the EPSS interpretation.

Affected products

Apache Software Foundation Log4j Core — versions 2.0-alpha1, 3.0.0-alpha1

Weakness classification (CWE)

CWE-116 — Improper Encoding or Escaping of Output

References

github.com/apache/logging-log4j2/pull/4077 (patch)
logging.apache.org/security.html (vendor-advisory)
logging.apache.org/cyclonedx/vdr.xml (vendor-advisory)
logging.apache.org/log4j/2.x/manual/layouts.html (related)
lists.apache.org/thread/5x0hcnng0chhghp6jgjdp3qmbbhfjzhb (vendor-advisory)