Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:maven/org.apache.logging.log4j/log4j-core@3.0.0-beta3
Typemaven
Namespaceorg.apache.logging.log4j
Namelog4j-core
Version3.0.0-beta3
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_versionnull
Latest_non_vulnerable_versionnull
Affected_by_vulnerabilities
0
url VCID-4nzu-3a6y-jqab
vulnerability_id VCID-4nzu-3a6y-jqab
summary
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34477.json
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34477.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-34477
reference_id
reference_type
scores
0
value 0.00108
scoring_system epss
scoring_elements 0.29136
published_at 2026-04-12T12:55:00Z
1
value 0.00108
scoring_system epss
scoring_elements 0.29084
published_at 2026-04-13T12:55:00Z
2
value 0.00108
scoring_system epss
scoring_elements 0.29182
published_at 2026-04-11T12:55:00Z
3
value 0.00143
scoring_system epss
scoring_elements 0.34503
published_at 2026-04-21T12:55:00Z
4
value 0.00143
scoring_system epss
scoring_elements 0.34541
published_at 2026-04-18T12:55:00Z
5
value 0.00143
scoring_system epss
scoring_elements 0.34556
published_at 2026-04-16T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-34477
2
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
3
reference_url https://github.com/apache/logging-log4j2
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/logging-log4j2
4
reference_url https://logging.apache.org/cyclonedx/vdr.xml
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T17:36:46Z/
url https://logging.apache.org/cyclonedx/vdr.xml
5
reference_url https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T17:36:46Z/
url https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-34477
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-34477
7
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2457319
reference_id 2457319
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2457319
8
reference_url https://github.com/apache/logging-log4j2/pull/4075
reference_id 4075
reference_type
scores
0
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T17:36:46Z/
url https://github.com/apache/logging-log4j2/pull/4075
9
reference_url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*
reference_id cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*
reference_type
scores
url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*
10
reference_url https://github.com/advisories/GHSA-6hg6-v5c8-fphq
reference_id GHSA-6hg6-v5c8-fphq
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-6hg6-v5c8-fphq
11
reference_url https://lists.apache.org/thread/lkx8cl46t2bvkcwfcb2pd43ygc097lq4
reference_id lkx8cl46t2bvkcwfcb2pd43ygc097lq4
reference_type
scores
0
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T17:36:46Z/
url https://lists.apache.org/thread/lkx8cl46t2bvkcwfcb2pd43ygc097lq4
12
reference_url https://logging.apache.org/security.html#CVE-2026-34477
reference_id security.html#CVE-2026-34477
reference_type
scores
0
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T17:36:46Z/
url https://logging.apache.org/security.html#CVE-2026-34477
fixed_packages
aliases CVE-2026-34477, GHSA-6hg6-v5c8-fphq
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-4nzu-3a6y-jqab
1
url VCID-hhc8-3wd3-4bh5
vulnerability_id VCID-hhc8-3wd3-4bh5
summary 
Apache Log4j Core's XmlLayout fails to sanitize characters
Apache Log4j Core's XmlLayout https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout , in versions up to and including 2.25.3, fails to sanitize characters forbidden by the  XML 1.0 specification https://www.w3.org/TR/xml/#charsets  producing invalid XML output whenever a log message or MDC value contains such characters.

The impact depends on the StAX implementation in use:

  *  JRE built-in StAX: Forbidden characters are silently written to the output, producing malformed XML. Conforming parsers must reject such documents with a fatal error, which may cause downstream log-processing systems to drop the affected records.
  *  Alternative StAX implementations (e.g.,  Woodstox https://github.com/FasterXML/woodstox , a transitive dependency of the Jackson XML Dataformat module): An exception is thrown during the logging call, and the log event is never delivered to its intended appender, only to Log4j's internal status logger.


Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue by sanitizing forbidden characters before XML output.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34480.json
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34480.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-34480
reference_id
reference_type
scores
0
value 0.00119
scoring_system epss
scoring_elements 0.30901
published_at 2026-04-11T12:55:00Z
1
value 0.00119
scoring_system epss
scoring_elements 0.30813
published_at 2026-04-13T12:55:00Z
2
value 0.00119
scoring_system epss
scoring_elements 0.30858
published_at 2026-04-12T12:55:00Z
3
value 0.00157
scoring_system epss
scoring_elements 0.36497
published_at 2026-04-16T12:55:00Z
4
value 0.00157
scoring_system epss
scoring_elements 0.36423
published_at 2026-04-21T12:55:00Z
5
value 0.00157
scoring_system epss
scoring_elements 0.3648
published_at 2026-04-18T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-34480
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34480
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34480
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/apache/logging-log4j2
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/logging-log4j2
5
reference_url https://github.com/apache/logging-log4j2/pull/4077
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-10T17:43:51Z/
url https://github.com/apache/logging-log4j2/pull/4077
6
reference_url https://lists.apache.org/thread/5x0hcnng0chhghp6jgjdp3qmbbhfjzhb
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-10T17:43:51Z/
url https://lists.apache.org/thread/5x0hcnng0chhghp6jgjdp3qmbbhfjzhb
7
reference_url https://logging.apache.org/cyclonedx/vdr.xml
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-10T17:43:51Z/
url https://logging.apache.org/cyclonedx/vdr.xml
8
reference_url https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-10T17:43:51Z/
url https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout
9
reference_url https://logging.apache.org/security.html#CVE-2026-34480
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-10T17:43:51Z/
url https://logging.apache.org/security.html#CVE-2026-34480
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-34480
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-34480
11
reference_url http://www.openwall.com/lists/oss-security/2026/04/10/9
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2026/04/10/9
12
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1133847
reference_id 1133847
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1133847
13
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2457328
reference_id 2457328
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2457328
14
reference_url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*
reference_id cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*
reference_type
scores
url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*
15
reference_url https://github.com/advisories/GHSA-3pxv-7cmr-fjr4
reference_id GHSA-3pxv-7cmr-fjr4
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-3pxv-7cmr-fjr4
fixed_packages
aliases CVE-2026-34480, GHSA-3pxv-7cmr-fjr4
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-hhc8-3wd3-4bh5
2
url VCID-s9nz-6x8z-ykgz
vulnerability_id VCID-s9nz-6x8z-ykgz
summary
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34478.json
reference_id
reference_type
scores
0
value 5.8
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34478.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-34478
reference_id
reference_type
scores
0
value 0.00145
scoring_system epss
scoring_elements 0.34928
published_at 2026-04-11T12:55:00Z
1
value 0.00145
scoring_system epss
scoring_elements 0.34869
published_at 2026-04-13T12:55:00Z
2
value 0.00145
scoring_system epss
scoring_elements 0.34892
published_at 2026-04-12T12:55:00Z
3
value 0.00191
scoring_system epss
scoring_elements 0.40947
published_at 2026-04-21T12:55:00Z
4
value 0.00191
scoring_system epss
scoring_elements 0.41053
published_at 2026-04-16T12:55:00Z
5
value 0.00191
scoring_system epss
scoring_elements 0.41024
published_at 2026-04-18T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-34478
2
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
3
reference_url https://github.com/apache/logging-log4j2
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/logging-log4j2
4
reference_url https://logging.apache.org/cyclonedx/vdr.xml
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-10T17:48:27Z/
url https://logging.apache.org/cyclonedx/vdr.xml
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-34478
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-34478
6
reference_url http://www.openwall.com/lists/oss-security/2026/04/10/7
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2026/04/10/7
7
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2457323
reference_id 2457323
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2457323
8
reference_url https://lists.apache.org/thread/3k1clr2l6vkdnl4cbhjrnt1nyjvb5gwt
reference_id 3k1clr2l6vkdnl4cbhjrnt1nyjvb5gwt
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-10T17:48:27Z/
url https://lists.apache.org/thread/3k1clr2l6vkdnl4cbhjrnt1nyjvb5gwt
9
reference_url https://github.com/apache/logging-log4j2/pull/4074
reference_id 4074
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-10T17:48:27Z/
url https://github.com/apache/logging-log4j2/pull/4074
10
reference_url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*
reference_id cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*
reference_type
scores
url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*
11
reference_url https://github.com/advisories/GHSA-445c-vh5m-36rj
reference_id GHSA-445c-vh5m-36rj
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-445c-vh5m-36rj
12
reference_url https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424Layout
reference_id layouts.html#RFC5424Layout
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-10T17:48:27Z/
url https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424Layout
13
reference_url https://logging.apache.org/security.html#CVE-2026-34478
reference_id security.html#CVE-2026-34478
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-10T17:48:27Z/
url https://logging.apache.org/security.html#CVE-2026-34478
fixed_packages
aliases CVE-2026-34478, GHSA-445c-vh5m-36rj
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-s9nz-6x8z-ykgz
Fixing_vulnerabilities
0
url VCID-hhc8-3wd3-4bh5
vulnerability_id VCID-hhc8-3wd3-4bh5
summary 
Apache Log4j Core's XmlLayout fails to sanitize characters
Apache Log4j Core's XmlLayout https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout , in versions up to and including 2.25.3, fails to sanitize characters forbidden by the  XML 1.0 specification https://www.w3.org/TR/xml/#charsets  producing invalid XML output whenever a log message or MDC value contains such characters.

The impact depends on the StAX implementation in use:

  *  JRE built-in StAX: Forbidden characters are silently written to the output, producing malformed XML. Conforming parsers must reject such documents with a fatal error, which may cause downstream log-processing systems to drop the affected records.
  *  Alternative StAX implementations (e.g.,  Woodstox https://github.com/FasterXML/woodstox , a transitive dependency of the Jackson XML Dataformat module): An exception is thrown during the logging call, and the log event is never delivered to its intended appender, only to Log4j's internal status logger.


Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue by sanitizing forbidden characters before XML output.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34480.json
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34480.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-34480
reference_id
reference_type
scores
0
value 0.00119
scoring_system epss
scoring_elements 0.30901
published_at 2026-04-11T12:55:00Z
1
value 0.00119
scoring_system epss
scoring_elements 0.30813
published_at 2026-04-13T12:55:00Z
2
value 0.00119
scoring_system epss
scoring_elements 0.30858
published_at 2026-04-12T12:55:00Z
3
value 0.00157
scoring_system epss
scoring_elements 0.36497
published_at 2026-04-16T12:55:00Z
4
value 0.00157
scoring_system epss
scoring_elements 0.36423
published_at 2026-04-21T12:55:00Z
5
value 0.00157
scoring_system epss
scoring_elements 0.3648
published_at 2026-04-18T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-34480
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34480
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34480
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/apache/logging-log4j2
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/logging-log4j2
5
reference_url https://github.com/apache/logging-log4j2/pull/4077
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-10T17:43:51Z/
url https://github.com/apache/logging-log4j2/pull/4077
6
reference_url https://lists.apache.org/thread/5x0hcnng0chhghp6jgjdp3qmbbhfjzhb
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-10T17:43:51Z/
url https://lists.apache.org/thread/5x0hcnng0chhghp6jgjdp3qmbbhfjzhb
7
reference_url https://logging.apache.org/cyclonedx/vdr.xml
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-10T17:43:51Z/
url https://logging.apache.org/cyclonedx/vdr.xml
8
reference_url https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-10T17:43:51Z/
url https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout
9
reference_url https://logging.apache.org/security.html#CVE-2026-34480
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-10T17:43:51Z/
url https://logging.apache.org/security.html#CVE-2026-34480
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-34480
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-34480
11
reference_url http://www.openwall.com/lists/oss-security/2026/04/10/9
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2026/04/10/9
12
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1133847
reference_id 1133847
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1133847
13
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2457328
reference_id 2457328
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2457328
14
reference_url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*
reference_id cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*
reference_type
scores
url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*
15
reference_url https://github.com/advisories/GHSA-3pxv-7cmr-fjr4
reference_id GHSA-3pxv-7cmr-fjr4
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-3pxv-7cmr-fjr4
fixed_packages
0
url pkg:maven/org.apache.logging.log4j/log4j-core@2.25.4
purl pkg:maven/org.apache.logging.log4j/log4j-core@2.25.4
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.logging.log4j/log4j-core@2.25.4
1
url pkg:maven/org.apache.logging.log4j/log4j-core@3.0.0-beta3
purl pkg:maven/org.apache.logging.log4j/log4j-core@3.0.0-beta3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4nzu-3a6y-jqab
1
vulnerability VCID-hhc8-3wd3-4bh5
2
vulnerability VCID-s9nz-6x8z-ykgz
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.logging.log4j/log4j-core@3.0.0-beta3
aliases CVE-2026-34480, GHSA-3pxv-7cmr-fjr4
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-hhc8-3wd3-4bh5
Risk_score3.1
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:maven/org.apache.logging.log4j/log4j-core@3.0.0-beta3