Vulnerability in Apache Software Foundation Log4j Json Template Layout

CVE-2026-34481

Apache Log4j's JsonTemplateLayout https://logging.apache.org/log4j/2.x/manual/json-template-layout.html , in versions up to and including 2.25.3, produces invalid JSON output when log events contain non-finite floating-point values (NaN…

EPSS: 0.001 (17.4th percentile) — read the EPSS interpretation.

Affected products

Apache Software Foundation Log4j Json Template Layout — versions 2.14.0, 3.0.0-alpha1

Weakness classification (CWE)

CWE-116 — Improper Encoding or Escaping of Output

References

github.com/apache/logging-log4j2/pull/4080 (patch)
logging.apache.org/security.html (vendor-advisory)
logging.apache.org/cyclonedx/vdr.xml (vendor-advisory)
logging.apache.org/log4j/2.x/manual/json-template-layout.html (related)
lists.apache.org/thread/n34zdv00gbkdbzt2rx9rf5mqz6lhopcv (vendor-advisory)