Vulnerability in Apache Software Foundation Log4cxx

CVE-2026-40023

Apache Log4cxx's XMLLayout https://logging.apache.org/log4cxx/1.7.0/classlog4cxx_1_1xml_1_1XMLLayout.html , in versions before 1.7.0, fails to sanitize characters forbidden by the XML 1.0 specification https://www.w3.org/TR/xml/#charsets…

EPSS: 0.003 (52.8th percentile) — read the EPSS interpretation.

Affected products

Apache Software Foundation Log4cxx — versions 0
Apache Software Foundation Log4cxx (Brew) — versions 0
Apache Software Foundation Log4cxx (Conan) — versions 0

Weakness classification (CWE)

CWE-116 — Improper Encoding or Escaping of Output

References

github.com/apache/logging-log4cxx/pull/609 (patch)
logging.apache.org/security.html (vendor-advisory)
logging.apache.org/cyclonedx/vdr.xml (vendor-advisory)
logging.apache.org/log4cxx/1.7.0/classlog4cxx_1_1xml_1_1XMLLayout.html (related)
lists.apache.org/thread/y15cv3zblg3dfwr5vy6ddbnl4zyrzr8b (vendor-advisory)