Vulnerability in Apache Software Foundation Log4net

CVE-2026-40021

Apache Log4net's XmlLayout https://logging.apache.org/log4net/manual/configuration/layouts.html#layout-list and XmlLayoutSchemaLog4J https://logging.apache.org/log4net/manual/configuration/layouts.html#layout-list , in versions before 3…

EPSS: 0.003 (52.2th percentile) — read the EPSS interpretation.

Affected products

Apache Software Foundation Log4net — versions 0

Weakness classification (CWE)

CWE-116 — Improper Encoding or Escaping of Output

References

github.com/apache/logging-log4net/pull/280 (patch)
logging.apache.org/security.html (vendor-advisory)
logging.apache.org/cyclonedx/vdr.xml (vendor-advisory)
logging.apache.org/log4net/manual/configuration/layouts.html (related)
lists.apache.org/thread/q8otftjswhk69n3kxslqg7cobr0x4st7 (vendor-advisory)