Django REST framework

Lookup for vulnerabilities affecting packages.

Vulnerability_id VCID-6pf4-qvrk-kugc

Summary The Log4j1XmlLayout from the Apache Log4j 1-to-Log4j 2 bridge fails to escape characters forbidden by the XML 1.0 standard, producing malformed XML output. Conforming XML parsers are required to reject documents containing such characters with a fatal error, which may cause downstream log processing systems to drop or fail to index affected records. Two groups of users are affected: * Those using Log4j1XmlLayout directly in a Log4j Core 2 configuration file. * Those using the Log4j 1 configuration compatibility layer with org.apache.log4j.xml.XMLLayout specified as the layout class. Users are advised to upgrade to Apache Log4j 1-to-Log4j 2 bridge version 2.25.4, which corrects this issue. Note: The Apache Log4j 1-to-Log4j 2 bridge is deprecated and will not be present in Log4j 3. Users are encouraged to consult the Log4j 1 to Log4j 2 migration guide https://logging.apache.org/log4j/2.x/migrate-from-log4j1.html , and specifically the section on eliminating reliance on the bridge.

Aliases

alias	CVE-2026-34479

alias	GHSA-h383-gmxw-35v2

Fixed_packages

url	pkg:deb/debian/apache-log4j1.2@0?distro=trixie
purl	pkg:deb/debian/apache-log4j1.2@0?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/apache-log4j1.2@0%3Fdistro=trixie

url	pkg:deb/debian/apache-log4j1.2@1.2.17-10%2Bdeb11u1?distro=trixie
purl	pkg:deb/debian/apache-log4j1.2@1.2.17-10%2Bdeb11u1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/apache-log4j1.2@1.2.17-10%252Bdeb11u1%3Fdistro=trixie

url	pkg:deb/debian/apache-log4j1.2@1.2.17-11?distro=trixie
purl	pkg:deb/debian/apache-log4j1.2@1.2.17-11?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/apache-log4j1.2@1.2.17-11%3Fdistro=trixie

url	pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.25.4
purl	pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.25.4
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.25.4

Affected_packages

url pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.7

purl pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.7

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-6pf4-qvrk-kugc

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.7

url pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.8

purl pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.8

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-6pf4-qvrk-kugc

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.8

url pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.8.1

purl pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.8.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-6pf4-qvrk-kugc

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.8.1

url pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.8.2

purl pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.8.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-6pf4-qvrk-kugc

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.8.2

url pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.9.0

purl pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.9.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-6pf4-qvrk-kugc

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.9.0

url pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.9.1

purl pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.9.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-6pf4-qvrk-kugc

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.9.1

url pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.10.0

purl pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.10.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-6pf4-qvrk-kugc

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.10.0

url pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.11.0

purl pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.11.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-6pf4-qvrk-kugc

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.11.0

url pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.11.1

purl pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.11.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-6pf4-qvrk-kugc

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.11.1

url pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.11.2

purl pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.11.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-6pf4-qvrk-kugc

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.11.2

url pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.12.0

purl pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.12.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-6pf4-qvrk-kugc

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.12.0

url pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.12.1

purl pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.12.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-6pf4-qvrk-kugc

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.12.1

url pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.12.2

purl pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.12.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-6pf4-qvrk-kugc

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.12.2

url pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.12.3

purl pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.12.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-6pf4-qvrk-kugc

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.12.3

url pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.12.4

purl pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.12.4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-6pf4-qvrk-kugc

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.12.4

url pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.13.0

purl pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.13.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-6pf4-qvrk-kugc

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.13.0

url pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.13.1

purl pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.13.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-6pf4-qvrk-kugc

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.13.1

url pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.13.2

purl pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.13.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-6pf4-qvrk-kugc

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.13.2

url pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.13.3

purl pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.13.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-6pf4-qvrk-kugc

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.13.3

url pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.14.0

purl pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.14.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-6pf4-qvrk-kugc

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.14.0

url pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.14.1

purl pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.14.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-6pf4-qvrk-kugc

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.14.1

url pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.15.0

purl pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.15.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-6pf4-qvrk-kugc

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.15.0

url pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.16.0

purl pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.16.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-6pf4-qvrk-kugc

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.16.0

url pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.17.0

purl pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.17.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-6pf4-qvrk-kugc

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.17.0

url pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.17.1

purl pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.17.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-6pf4-qvrk-kugc

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.17.1

url pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.17.2

purl pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.17.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-6pf4-qvrk-kugc

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.17.2

url pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.18.0

purl pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.18.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-6pf4-qvrk-kugc

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.18.0

url pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.19.0

purl pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.19.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-6pf4-qvrk-kugc

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.19.0

url pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.20.0

purl pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.20.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-6pf4-qvrk-kugc

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.20.0

url pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.21.0

purl pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.21.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-6pf4-qvrk-kugc

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.21.0

url pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.21.1

purl pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.21.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-6pf4-qvrk-kugc

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.21.1

url pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.22.0

purl pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.22.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-6pf4-qvrk-kugc

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.22.0

url pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.22.1

purl pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.22.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-6pf4-qvrk-kugc

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.22.1

url pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.23.0

purl pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.23.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-6pf4-qvrk-kugc

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.23.0

url pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.23.1

purl pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.23.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-6pf4-qvrk-kugc

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.23.1

url pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.24.0

purl pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.24.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-6pf4-qvrk-kugc

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.24.0

url pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.24.1

purl pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.24.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-6pf4-qvrk-kugc

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.24.1

url pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.24.2

purl pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.24.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-6pf4-qvrk-kugc

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.24.2

url pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.24.3

purl pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.24.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-6pf4-qvrk-kugc

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.24.3

url pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.25.0

purl pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.25.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-6pf4-qvrk-kugc

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.25.0

url pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.25.1

purl pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.25.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-6pf4-qvrk-kugc

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.25.1

url pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.25.2

purl pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.25.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-6pf4-qvrk-kugc

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.25.2

url pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.25.3

purl pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.25.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-6pf4-qvrk-kugc

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.logging.log4j/log4j-1.2-api@2.25.3

url pkg:maven/org.apache.logging.log4j/log4j-1.2-api@3.0.0-beta1

purl pkg:maven/org.apache.logging.log4j/log4j-1.2-api@3.0.0-beta1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-6pf4-qvrk-kugc

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.logging.log4j/log4j-1.2-api@3.0.0-beta1

url pkg:maven/org.apache.logging.log4j/log4j-1.2-api@3.0.0-beta2

purl pkg:maven/org.apache.logging.log4j/log4j-1.2-api@3.0.0-beta2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-6pf4-qvrk-kugc

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.logging.log4j/log4j-1.2-api@3.0.0-beta2

References

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34479.json

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34479.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-34479

reference_id

reference_type

scores

value	0.00126
scoring_system	epss
scoring_elements	0.3132
published_at	2026-06-09T12:55:00Z

value	0.00126
scoring_system	epss
scoring_elements	0.31401
published_at	2026-06-05T12:55:00Z

value	0.00126
scoring_system	epss
scoring_elements	0.31367
published_at	2026-06-06T12:55:00Z

value	0.00126
scoring_system	epss
scoring_elements	0.31329
published_at	2026-06-07T12:55:00Z

value	0.00126
scoring_system	epss
scoring_elements	0.31296
published_at	2026-06-08T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-34479

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34479
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34479

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/apache/logging-log4j2

reference_id

reference_type

scores

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/apache/logging-log4j2

reference_url

https://github.com/apache/logging-log4j2/pull/4078

reference_id

reference_type

scores

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-10T17:45:24Z/

url

https://github.com/apache/logging-log4j2/pull/4078

reference_url

https://lists.apache.org/thread/gd0hp6mj17rn3kj279vgy4p7kd4zz5on

reference_id

reference_type

scores

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-10T17:45:24Z/

url

https://lists.apache.org/thread/gd0hp6mj17rn3kj279vgy4p7kd4zz5on

reference_url

https://logging.apache.org/cyclonedx/vdr.xml

reference_id

reference_type

scores

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-10T17:45:24Z/

url

https://logging.apache.org/cyclonedx/vdr.xml

reference_url

https://logging.apache.org/log4j/2.x/migrate-from-log4j1.html

reference_id

reference_type

scores

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-10T17:45:24Z/

url

https://logging.apache.org/log4j/2.x/migrate-from-log4j1.html

reference_url

https://logging.apache.org/security.html#CVE-2026-34479

reference_id

reference_type

scores

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-10T17:45:24Z/

url

https://logging.apache.org/security.html#CVE-2026-34479

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-34479

reference_id

reference_type

scores

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-34479

reference_url

http://www.openwall.com/lists/oss-security/2026/04/10/8

reference_id

reference_type

scores

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://www.openwall.com/lists/oss-security/2026/04/10/8

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1133848
reference_id	1133848
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1133848

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2457313
reference_id	2457313
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2457313

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:log4j_1_2_api::::::::
reference_id	cpe:2.3:a:apache:log4j_1_2_api::::::::
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:log4j_1_2_api::::::::

reference_url

https://github.com/advisories/GHSA-h383-gmxw-35v2

reference_id

GHSA-h383-gmxw-35v2

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-h383-gmxw-35v2

reference_url	https://access.redhat.com/errata/RHSA-2026:21773
reference_id	RHSA-2026:21773
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:21773

Weaknesses

cwe_id	91
name	XML Injection (aka Blind XPath Injection)
description	The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.

cwe_id	116
name	Improper Encoding or Escaping of Output
description	The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

cwe_id	937
name	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.

cwe_id	1035
name	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.

Exploits

Severity_range_score 4.0 - 6.9

Exploitability 0.5

Weighted_severity 6.2

Risk_score 3.1

Resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-6pf4-qvrk-kugc

Vulnerability Instance