VulnerableCode Package Details - pkg:maven/ch.qos.logback/logback-core@1.5.13

Search for packages

Vulnerability	Summary	Fixed by
VCID-pnxr-hj9y-yfd9 Aliases: CVE-2026-1225 GHSA-qqpg-mvqg-649v	Logback allows an attacker to instantiate classes already present on the class path ACE vulnerability in configuration file processing by QOS.CH logback-core up to and including version 1.5.24 in Java applications, allows an attacker to instantiate classes already present on the class path by compromising an existing logback configuration file. The instantiation of a potentially malicious Java class requires that said class is present on the user's class-path. In addition, the attacker must have write access to a configuration file. However, after successful instantiation, the instance is very likely to be discarded with no further ado.	1.5.25 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-pnxr-hj9y-yfd9
Aliases:
CVE-2026-1225
GHSA-qqpg-mvqg-649v

Logback allows an attacker to instantiate classes already present on the class path ACE vulnerability in configuration file processing by QOS.CH logback-core up to and including version 1.5.24 in Java applications, allows an attacker to instantiate classes already present on the class path by compromising an existing logback configuration file. The instantiation of a potentially malicious Java class requires that said class is present on the user's class-path. In addition, the attacker must have write access to a configuration file. However, after successful instantiation, the instance is very likely to be discarded with no further ado.

1.5.25
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-7z5b-4xfw-27ar	QOS.CH logback-core Server-Side Request Forgery vulnerability Server-Side Request Forgery (SSRF) in SaxEventRecorder by QOS.CH logback version 1.5.12 on the Java platform, allows an attacker to forge requests by compromising logback configuration files in XML. The attacks involves the modification of DOCTYPE declaration in XML configuration files.	CVE-2024-12801 GHSA-6v67-2wr5-gvf4
VCID-jrv7-8e72-pyhb	QOS.CH logback-core Expression Language Injection vulnerability ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core up to and including version 1.5.12 in Java applications allows attackers to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment variable before program execution. Malicious logback configuration files can allow the attacker to execute arbitrary code using the JaninoEventEvaluator extension. A successful attack requires the user to have write access to a configuration file. Alternatively, the attacker could inject a malicious environment variable pointing to a malicious configuration file. In both cases, the attack requires existing privilege.	CVE-2024-12798 GHSA-pr98-23f8-jwxv

Vulnerability

Summary

Aliases

VCID-7z5b-4xfw-27ar

QOS.CH logback-core Server-Side Request Forgery vulnerability Server-Side Request Forgery (SSRF) in SaxEventRecorder by QOS.CH logback version 1.5.12 on the Java platform, allows an attacker to forge requests by compromising logback configuration files in XML. The attacks involves the modification of DOCTYPE declaration in XML configuration files.

CVE-2024-12801
GHSA-6v67-2wr5-gvf4

VCID-jrv7-8e72-pyhb

QOS.CH logback-core Expression Language Injection vulnerability ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core up to and including version 1.5.12 in Java applications allows attackers to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment variable before program execution. Malicious logback configuration files can allow the attacker to execute arbitrary code using the JaninoEventEvaluator extension. A successful attack requires the user to have write access to a configuration file. Alternatively, the attacker could inject a malicious environment variable pointing to a malicious configuration file. In both cases, the attack requires existing privilege.

CVE-2024-12798
GHSA-pr98-23f8-jwxv

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-17T00:11:48.910918+00:00	GitLab Importer	Affected by	VCID-pnxr-hj9y-yfd9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/ch.qos.logback/logback-core/CVE-2026-1225.yml	38.4.0
2026-04-16T23:17:30.492043+00:00	GitLab Importer	Fixing	VCID-7z5b-4xfw-27ar	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/ch.qos.logback/logback-core/CVE-2024-12801.yml	38.4.0
2026-04-16T23:17:26.013285+00:00	GitLab Importer	Fixing	VCID-jrv7-8e72-pyhb	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/ch.qos.logback/logback-core/CVE-2024-12798.yml	38.4.0
2026-04-12T01:35:35.982527+00:00	GitLab Importer	Affected by	VCID-pnxr-hj9y-yfd9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/ch.qos.logback/logback-core/CVE-2026-1225.yml	38.3.0
2026-04-12T00:36:17.774880+00:00	GitLab Importer	Fixing	VCID-7z5b-4xfw-27ar	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/ch.qos.logback/logback-core/CVE-2024-12801.yml	38.3.0
2026-04-12T00:36:12.909074+00:00	GitLab Importer	Fixing	VCID-jrv7-8e72-pyhb	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/ch.qos.logback/logback-core/CVE-2024-12798.yml	38.3.0
2026-04-07T04:56:40.859005+00:00	GHSA Importer	Fixing	VCID-jrv7-8e72-pyhb	https://github.com/advisories/GHSA-pr98-23f8-jwxv	38.1.0
2026-04-07T04:56:40.828660+00:00	GHSA Importer	Fixing	VCID-7z5b-4xfw-27ar	https://github.com/advisories/GHSA-6v67-2wr5-gvf4	38.1.0
2026-04-03T01:44:35.820336+00:00	GitLab Importer	Affected by	VCID-pnxr-hj9y-yfd9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/ch.qos.logback/logback-core/CVE-2026-1225.yml	38.1.0
2026-04-03T00:44:06.359210+00:00	GitLab Importer	Fixing	VCID-7z5b-4xfw-27ar	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/ch.qos.logback/logback-core/CVE-2024-12801.yml	38.1.0
2026-04-03T00:44:01.571910+00:00	GitLab Importer	Fixing	VCID-jrv7-8e72-pyhb	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/ch.qos.logback/logback-core/CVE-2024-12798.yml	38.1.0
2026-04-02T12:40:35.056232+00:00	GitLab Importer	Fixing	VCID-7z5b-4xfw-27ar	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/ch.qos.logback/logback-core/CVE-2024-12801.yml	38.0.0
2026-04-02T12:40:34.881597+00:00	GitLab Importer	Fixing	VCID-jrv7-8e72-pyhb	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/ch.qos.logback/logback-core/CVE-2024-12798.yml	38.0.0
2026-04-01T12:50:16.971028+00:00	GithubOSV Importer	Fixing	VCID-7z5b-4xfw-27ar	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-6v67-2wr5-gvf4/GHSA-6v67-2wr5-gvf4.json	38.0.0
2026-04-01T12:50:07.465025+00:00	GithubOSV Importer	Fixing	VCID-jrv7-8e72-pyhb	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-pr98-23f8-jwxv/GHSA-pr98-23f8-jwxv.json	38.0.0