Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-92v5-qh42-hkcn
Vulnerability ID VCID-92v5-qh42-hkcn
Aliases CVE-2026-34479
GHSA-h383-gmxw-35v2
Summary
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-116 Improper Encoding or Escaping of Output
CWE-91 XML Injection (aka Blind XPath Injection)
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 5.3 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34479.json
epss 0.00126 https://api.first.org/data/v1/epss?cve=CVE-2026-34479
epss 0.00126 https://api.first.org/data/v1/epss?cve=CVE-2026-34479
cvssv3.1 5.3 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-h383-gmxw-35v2
cvssv4 6.9 https://github.com/apache/logging-log4j2
generic_textual MODERATE https://github.com/apache/logging-log4j2
cvssv4 6.9 https://github.com/apache/logging-log4j2/pull/4078
generic_textual MODERATE https://github.com/apache/logging-log4j2/pull/4078
ssvc Track https://github.com/apache/logging-log4j2/pull/4078
cvssv4 6.9 https://lists.apache.org/thread/gd0hp6mj17rn3kj279vgy4p7kd4zz5on
generic_textual MODERATE https://lists.apache.org/thread/gd0hp6mj17rn3kj279vgy4p7kd4zz5on
ssvc Track https://lists.apache.org/thread/gd0hp6mj17rn3kj279vgy4p7kd4zz5on
cvssv4 6.9 https://logging.apache.org/cyclonedx/vdr.xml
generic_textual MODERATE https://logging.apache.org/cyclonedx/vdr.xml
ssvc Track https://logging.apache.org/cyclonedx/vdr.xml
cvssv4 6.9 https://logging.apache.org/log4j/2.x/migrate-from-log4j1.html
generic_textual MODERATE https://logging.apache.org/log4j/2.x/migrate-from-log4j1.html
ssvc Track https://logging.apache.org/log4j/2.x/migrate-from-log4j1.html
cvssv4 6.9 https://logging.apache.org/security.html#CVE-2026-34479
generic_textual MODERATE https://logging.apache.org/security.html#CVE-2026-34479
ssvc Track https://logging.apache.org/security.html#CVE-2026-34479
cvssv4 6.9 https://nvd.nist.gov/vuln/detail/CVE-2026-34479
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2026-34479
cvssv4 6.9 http://www.openwall.com/lists/oss-security/2026/04/10/8
generic_textual MODERATE http://www.openwall.com/lists/oss-security/2026/04/10/8
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34479.json
https://api.first.org/data/v1/epss?cve=CVE-2026-34479
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34479
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/apache/logging-log4j2
https://nvd.nist.gov/vuln/detail/CVE-2026-34479
http://www.openwall.com/lists/oss-security/2026/04/10/8
1133848 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1133848
2457313 https://bugzilla.redhat.com/show_bug.cgi?id=2457313
4078 https://github.com/apache/logging-log4j2/pull/4078
cpe:2.3:a:apache:log4j_1_2_api:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:log4j_1_2_api:*:*:*:*:*:*:*:*
gd0hp6mj17rn3kj279vgy4p7kd4zz5on https://lists.apache.org/thread/gd0hp6mj17rn3kj279vgy4p7kd4zz5on
GHSA-h383-gmxw-35v2 https://github.com/advisories/GHSA-h383-gmxw-35v2
migrate-from-log4j1.html https://logging.apache.org/log4j/2.x/migrate-from-log4j1.html
RHSA-2026:21773 https://access.redhat.com/errata/RHSA-2026:21773
security.html#CVE-2026-34479 https://logging.apache.org/security.html#CVE-2026-34479
vdr.xml https://logging.apache.org/cyclonedx/vdr.xml
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34479.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N Found at https://github.com/apache/logging-log4j2
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N Found at https://github.com/apache/logging-log4j2/pull/4078
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-10T17:45:24Z/ Found at https://github.com/apache/logging-log4j2/pull/4078
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N Found at https://lists.apache.org/thread/gd0hp6mj17rn3kj279vgy4p7kd4zz5on
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-10T17:45:24Z/ Found at https://lists.apache.org/thread/gd0hp6mj17rn3kj279vgy4p7kd4zz5on
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N Found at https://logging.apache.org/cyclonedx/vdr.xml
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-10T17:45:24Z/ Found at https://logging.apache.org/cyclonedx/vdr.xml
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N Found at https://logging.apache.org/log4j/2.x/migrate-from-log4j1.html
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-10T17:45:24Z/ Found at https://logging.apache.org/log4j/2.x/migrate-from-log4j1.html
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N Found at https://logging.apache.org/security.html#CVE-2026-34479
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-10T17:45:24Z/ Found at https://logging.apache.org/security.html#CVE-2026-34479
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-34479
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N Found at http://www.openwall.com/lists/oss-security/2026/04/10/8
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.31364
EPSS Score 0.00126
Published At June 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-10T18:14:21.503052+00:00 SUSE Severity Score Importer Import https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml 38.6.0