Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:nuget/log4net@3.0.3
Typenuget
Namespace
Namelog4net
Version3.0.3
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version3.3.0
Latest_non_vulnerable_version3.3.0
Affected_by_vulnerabilities
0
url VCID-6t9d-d4yx-hua7
vulnerability_id VCID-6t9d-d4yx-hua7
summary 
Apache Log4net: Silent log event loss in XmlLayout and XmlLayoutSchemaLog4J due to unescaped XML 1.0 forbidden characters
Apache Log4net's  XmlLayout https://logging.apache.org/log4net/manual/configuration/layouts.html#layout-list  and  XmlLayoutSchemaLog4J https://logging.apache.org/log4net/manual/configuration/layouts.html#layout-list , in versions before 3.3.0, fail to sanitize characters forbidden by the  XML 1.0 specification https://www.w3.org/TR/xml/#charsets  in MDC property keys and values, as well as the identity field that may carry attacker-influenced data. This causes an exception during serialization and the silent loss of the affected log event.

An attacker who can influence any of these fields can exploit this to suppress individual log records, impairing audit trails and detection of malicious activity.

Users are advised to upgrade to Apache Log4net 3.3.0, which fixes this issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-40021
reference_id
reference_type
scores
0
value 0.00285
scoring_system epss
scoring_elements 0.52279
published_at 2026-06-09T12:55:00Z
1
value 0.00285
scoring_system epss
scoring_elements 0.52257
published_at 2026-06-08T12:55:00Z
2
value 0.00285
scoring_system epss
scoring_elements 0.52286
published_at 2026-06-07T12:55:00Z
3
value 0.00285
scoring_system epss
scoring_elements 0.52306
published_at 2026-06-06T12:55:00Z
4
value 0.00285
scoring_system epss
scoring_elements 0.52299
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-40021
1
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-40021
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-40021
2
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
3
reference_url https://github.com/apache/logging-log4net
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/logging-log4net
4
reference_url https://github.com/apache/logging-log4net/pull/280
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T17:32:06Z/
url https://github.com/apache/logging-log4net/pull/280
5
reference_url https://lists.apache.org/thread/q8otftjswhk69n3kxslqg7cobr0x4st7
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T17:32:06Z/
url https://lists.apache.org/thread/q8otftjswhk69n3kxslqg7cobr0x4st7
6
reference_url https://logging.apache.org/cyclonedx/vdr.xml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T17:32:06Z/
url https://logging.apache.org/cyclonedx/vdr.xml
7
reference_url https://logging.apache.org/log4net/manual/configuration/layouts.html
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T17:32:06Z/
url https://logging.apache.org/log4net/manual/configuration/layouts.html
8
reference_url https://logging.apache.org/security.html#CVE-2026-40021
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T17:32:06Z/
url https://logging.apache.org/security.html#CVE-2026-40021
9
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-40021
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-40021
10
reference_url http://www.openwall.com/lists/oss-security/2026/04/10/11
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2026/04/10/11
11
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1133360
reference_id 1133360
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1133360
12
reference_url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:log4net:*:*:*:*:*:*:*:*
reference_id cpe:2.3:a:apache:log4net:*:*:*:*:*:*:*:*
reference_type
scores
url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:log4net:*:*:*:*:*:*:*:*
13
reference_url https://github.com/advisories/GHSA-4f7c-pmjv-c25w
reference_id GHSA-4f7c-pmjv-c25w
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-4f7c-pmjv-c25w
fixed_packages
0
url pkg:nuget/log4net@3.3.0
purl pkg:nuget/log4net@3.3.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:nuget/log4net@3.3.0
aliases CVE-2026-40021, GHSA-4f7c-pmjv-c25w
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-6t9d-d4yx-hua7
Fixing_vulnerabilities
Risk_score3.1
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:nuget/log4net@3.0.3