{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34479", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2026-03-28T14:06:31.965Z", "datePublished": "2026-04-10T15:41:07.888Z", "dateUpdated": "2026-04-10T17:47:34.402Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://repo.maven.apache.org/maven2", "cpes": ["cpe:2.3:a:apache:log4j_1_2_api:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "packageName": "org.apache.logging.log4j:log4j-1.2-api", "packageURL": "pkg:maven/org.apache.logging.log4j/log4j-1.2-api", "product": "Apache Log4j 1 to Log4j 2 bridge", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "2.25.4", "status": "affected", "version": "2.7", "versionType": "maven"}, {"lessThanOrEqual": "3.0.0-beta2", "status": "affected", "version": "3.0.0-alpha1", "versionType": "maven"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Ap4sh (Samy Medjahed) and Ethicxz (Eliott Laurie) (original reporters)"}, {"lang": "en", "type": "finder", "value": "jabaltarik1 (independently)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>The <code>Log4j1XmlLayout</code> from the Apache Log4j 1-to-Log4j 2 bridge fails to escape characters forbidden by the XML 1.0 standard, producing malformed XML output. Conforming XML parsers are required to reject documents containing such characters with a fatal error, which may cause downstream log processing systems to drop or fail to index affected records.</p><p>Two groups of users are affected:</p><ul><li>Those using <code>Log4j1XmlLayout</code> directly in a Log4j Core 2 configuration file.</li><li>Those using the Log4j 1 configuration compatibility layer with <code>org.apache.log4j.xml.XMLLayout</code> specified as the layout class.</li></ul><p>Users are advised to upgrade to Apache Log4j 1-to-Log4j 2 bridge version 2.25.4, which corrects this issue.</p><p><strong>Note:</strong> The Apache Log4j 1-to-Log4j 2 bridge is deprecated and will not be present in Log4j 3. Users are encouraged to consult the <a target=\"_blank\" rel=\"nofollow\" href=\"https://logging.apache.org/log4j/2.x/migrate-from-log4j1.html\">Log4j 1 to Log4j 2 migration guide</a>, and specifically the section on eliminating reliance on the bridge.</p>"}], "value": "The Log4j1XmlLayout from the Apache Log4j 1-to-Log4j 2 bridge fails to escape characters forbidden by the XML 1.0 standard, producing malformed XML output. Conforming XML parsers are required to reject documents containing such characters with a fatal error, which may cause downstream log processing systems to drop or fail to index affected records.\n\nTwo groups of users are affected:\n\n * Those using Log4j1XmlLayout directly in a Log4j Core 2 configuration file.\n * Those using the Log4j 1 configuration compatibility layer with org.apache.log4j.xml.XMLLayout specified as the layout class.\n\n\nUsers are advised to upgrade to Apache Log4j 1-to-Log4j 2 bridge version 2.25.4, which corrects this issue.\n\nNote: The Apache Log4j 1-to-Log4j 2 bridge is deprecated and will not be present in Log4j 3. Users are encouraged to consult the Log4j 1 to Log4j 2 migration guide https://logging.apache.org/log4j/2.x/migrate-from-log4j1.html , and specifically the section on eliminating reliance on the bridge."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 6.9, "baseSeverity": "MEDIUM", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"other": {"content": {"text": "moderate"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-116", "description": "CWE-116 Improper Encoding or Escaping of Output", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-10T15:41:07.888Z"}, "references": [{"tags": ["patch"], "url": "https://github.com/apache/logging-log4j2/pull/4078"}, {"tags": ["vendor-advisory"], "url": "https://logging.apache.org/security.html#CVE-2026-34479"}, {"tags": ["vendor-advisory"], "url": "https://logging.apache.org/cyclonedx/vdr.xml"}, {"tags": ["related"], "url": "https://logging.apache.org/log4j/2.x/migrate-from-log4j1.html"}, {"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/gd0hp6mj17rn3kj279vgy4p7kd4zz5on"}], "source": {"discovery": "EXTERNAL"}, "timeline": [{"lang": "en", "time": "2026-02-16T17:11:00.000Z", "value": "Vulnerability reported by Ap4sh and ethicxz"}, {"lang": "en", "time": "2026-03-15T05:39:00.000Z", "value": "Independent report received from jabaltarik1"}, {"lang": "en", "time": "2026-03-24T18:56:00.000Z", "value": "Fix shared publicly by Piotr P. Karwasz as pull request #4078"}, {"lang": "en", "time": "2026-03-25T09:46:00.000Z", "value": "Fix verified by reporter"}, {"lang": "en", "time": "2026-03-28T11:19:00.000Z", "value": "Log4j 2.25.4 released"}], "title": "Apache Log4j 1 to Log4j 2 bridge: Silent log event loss in Log4j1XmlLayout due to unescaped XML 1.0 forbidden characters", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/10/8"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-10T16:18:18.699Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-10T17:45:24.466114Z", "id": "CVE-2026-34479", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T17:47:34.402Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/10/8"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-10T16:18:18.699Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34479", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-10T17:45:24.466114Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T17:47:19.925Z"}}], "cna": {"title": "Apache Log4j 1 to Log4j 2 bridge: Silent log event loss in Log4j1XmlLayout due to unescaped XML 1.0 forbidden characters", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Ap4sh (Samy Medjahed) and Ethicxz (Eliott Laurie) (original reporters)"}, {"lang": "en", "type": "finder", "value": "jabaltarik1 (independently)"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"other": {"type": "Textual description of severity", "content": {"text": "moderate"}}}], "affected": [{"cpes": ["cpe:2.3:a:apache:log4j_1_2_api:*:*:*:*:*:*:*:*"], "vendor": "Apache Software Foundation", "product": "Apache Log4j 1 to Log4j 2 bridge", "versions": [{"status": "affected", "version": "2.7", "lessThan": "2.25.4", "versionType": "maven"}, {"status": "affected", "version": "3.0.0-alpha1", "versionType": "maven", "lessThanOrEqual": "3.0.0-beta2"}], "packageURL": "pkg:maven/org.apache.logging.log4j/log4j-1.2-api", "packageName": "org.apache.logging.log4j:log4j-1.2-api", "collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-16T17:11:00.000Z", "value": "Vulnerability reported by Ap4sh and ethicxz"}, {"lang": "en", "time": "2026-03-15T05:39:00.000Z", "value": "Independent report received from jabaltarik1"}, {"lang": "en", "time": "2026-03-24T18:56:00.000Z", "value": "Fix shared publicly by Piotr P. Karwasz as pull request #4078"}, {"lang": "en", "time": "2026-03-25T09:46:00.000Z", "value": "Fix verified by reporter"}, {"lang": "en", "time": "2026-03-28T11:19:00.000Z", "value": "Log4j 2.25.4 released"}], "references": [{"url": "https://github.com/apache/logging-log4j2/pull/4078", "tags": ["patch"]}, {"url": "https://logging.apache.org/security.html#CVE-2026-34479", "tags": ["vendor-advisory"]}, {"url": "https://logging.apache.org/cyclonedx/vdr.xml", "tags": ["vendor-advisory"]}, {"url": "https://logging.apache.org/log4j/2.x/migrate-from-log4j1.html", "tags": ["related"]}, {"url": "https://lists.apache.org/thread/gd0hp6mj17rn3kj279vgy4p7kd4zz5on", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "The Log4j1XmlLayout from the Apache Log4j 1-to-Log4j 2 bridge fails to escape characters forbidden by the XML 1.0 standard, producing malformed XML output. Conforming XML parsers are required to reject documents containing such characters with a fatal error, which may cause downstream log processing systems to drop or fail to index affected records.\n\nTwo groups of users are affected:\n\n * Those using Log4j1XmlLayout directly in a Log4j Core 2 configuration file.\n * Those using the Log4j 1 configuration compatibility layer with org.apache.log4j.xml.XMLLayout specified as the layout class.\n\n\nUsers are advised to upgrade to Apache Log4j 1-to-Log4j 2 bridge version 2.25.4, which corrects this issue.\n\nNote: The Apache Log4j 1-to-Log4j 2 bridge is deprecated and will not be present in Log4j 3. Users are encouraged to consult the Log4j 1 to Log4j 2 migration guide https://logging.apache.org/log4j/2.x/migrate-from-log4j1.html , and specifically the section on eliminating reliance on the bridge.", "supportingMedia": [{"type": "text/html", "value": "<p>The <code>Log4j1XmlLayout</code> from the Apache Log4j 1-to-Log4j 2 bridge fails to escape characters forbidden by the XML 1.0 standard, producing malformed XML output. Conforming XML parsers are required to reject documents containing such characters with a fatal error, which may cause downstream log processing systems to drop or fail to index affected records.</p><p>Two groups of users are affected:</p><ul><li>Those using <code>Log4j1XmlLayout</code> directly in a Log4j Core 2 configuration file.</li><li>Those using the Log4j 1 configuration compatibility layer with <code>org.apache.log4j.xml.XMLLayout</code> specified as the layout class.</li></ul><p>Users are advised to upgrade to Apache Log4j 1-to-Log4j 2 bridge version 2.25.4, which corrects this issue.</p><p><strong>Note:</strong> The Apache Log4j 1-to-Log4j 2 bridge is deprecated and will not be present in Log4j 3. Users are encouraged to consult the <a target=\"_blank\" rel=\"nofollow\" href=\"https://logging.apache.org/log4j/2.x/migrate-from-log4j1.html\">Log4j 1 to Log4j 2 migration guide</a>, and specifically the section on eliminating reliance on the bridge.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-116", "description": "CWE-116 Improper Encoding or Escaping of Output"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-10T15:41:07.888Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34479", "state": "PUBLISHED", "dateUpdated": "2026-04-10T17:47:34.402Z", "dateReserved": "2026-03-28T14:06:31.965Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2026-04-10T15:41:07.888Z", "assignerShortName": "apache"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Log4j1XmlLayout from the Apache Log4j 1-to-Log4j 2 bridge fails to escape characters forbidden by the XML 1.0 standard, producing malformed XML output. Conforming XML parsers are required to reject documents containing such characters with a fatal error, which may cause downstream log processing systems to drop or fail to index affected records.\n\nTwo groups of users are affected:\n\n * Those using Log4j1XmlLayout directly in a Log4j Core 2 configuration file.\n * Those using the Log4j 1 configuration compatibility layer with org.apache.log4j.xml.XMLLayout specified as the layout class.\n\n\nUsers are advised to upgrade to Apache Log4j 1-to-Log4j 2 bridge version 2.25.4, which corrects this issue.\n\nNote: The Apache Log4j 1-to-Log4j 2 bridge is deprecated and will not be present in Log4j 3. Users are encouraged to consult the Log4j 1 to Log4j 2 migration guide https://logging.apache.org/log4j/2.x/migrate-from-log4j1.html , and specifically the section on eliminating reliance on the bridge."}], "id": "CVE-2026-34479", "lastModified": "2026-04-13T15:02:06.187", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security@apache.org", "type": "Secondary"}]}, "published": "2026-04-10T16:16:31.270", "references": [{"source": "security@apache.org", "url": "https://github.com/apache/logging-log4j2/pull/4078"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread/gd0hp6mj17rn3kj279vgy4p7kd4zz5on"}, {"source": "security@apache.org", "url": "https://logging.apache.org/cyclonedx/vdr.xml"}, {"source": "security@apache.org", "url": "https://logging.apache.org/log4j/2.x/migrate-from-log4j1.html"}, {"source": "security@apache.org", "url": "https://logging.apache.org/security.html#CVE-2026-34479"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2026/04/10/8"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-116"}], "source": "security@apache.org", "type": "Secondary"}]}

{"bugzilla": {"description": "org.apache.logging.log4j/log4j-1.2-api: Apache Log4j 1-to-Log4j 2 bridge: Log processing denial of service due to improper XML escaping", "id": "2457313", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2457313"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-91", "details": ["A flaw was found in the Apache Log4j 1-to-Log4j 2 bridge. The Log4j1XmlLayout component fails to properly escape characters forbidden by the XML 1.0 standard. This improper handling of characters results in malformed XML output, which can cause downstream log processing systems to drop or fail to index affected records. The primary consequence is a denial of service for log analysis, potentially hindering security monitoring and incident response."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-34479", "package_state": [{"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Fix deferred", "package_name": "log4j-1.2-api", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "log4j:2/log4j", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "log4j", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Fix deferred", "package_name": "log4j-1.2-api", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Fix deferred", "package_name": "log4j-1.2-api", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Fix deferred", "package_name": "log4j-1.2-api", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Fix deferred", "package_name": "log4j-1.2-api", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:offline_knowledge_portal:1", "fix_state": "Fix deferred", "package_name": "redhat-user-workloads/rhokp-core-encrypted", "product_name": "Red Hat Offline Knowledge Portal"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-modelmesh-rhel8", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-modelmesh-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:amq_streams:3", "fix_state": "Fix deferred", "package_name": "log4j-1.2-api", "product_name": "streams for Apache Kafka 3"}], "public_date": "2026-04-10T15:41:07Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-34479\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-34479\nhttps://github.com/apache/logging-log4j2/pull/4078\nhttps://lists.apache.org/thread/gd0hp6mj17rn3kj279vgy4p7kd4zz5on\nhttps://logging.apache.org/cyclonedx/vdr.xml\nhttps://logging.apache.org/log4j/2.x/migrate-from-log4j1.html\nhttps://logging.apache.org/security.html#CVE-2026-34479"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[2.7,2.25.4)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.0.0-alpha1,3.0.0-beta2]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "Apache Log4j 1 to Log4j 2 bridge", "source": "cna", "vendor": "Apache Software Foundation"}, "product": "log4j", "vendor": "apache"}], "analysis": {"en": {"generated_at": "2026-04-14T02:07:02.903844+00:00", "value": {"mitigation_remediation": ["Upgrade the Apache Log4j 1-to-Log4j 2 bridge to version 2.25.4 or later.", "If the bridge is no longer needed, remove it from the application to eliminate the vulnerability.", "Disable Log4j1XmlLayout or the XMLLayout class when they are not required.", "Verify that downstream log processing systems correctly handle escaped characters and monitor for missing events.", "Follow the Log4j 1 to Log4j 2 migration guide to phase out the bridge entirely."], "summary": {"action": "Patch Upgrade", "impact": "Silent log event loss via malformed XML"}, "threat_synthesis": {"affected_systems": "Deployments using the Apache Log4j 1-to-Log4j 2 bridge are vulnerable. This includes configurations that employ Log4j1XmlLayout directly in Log4j Core 2, and those that use the Log4j 1 compatibility layer with org.apache.log4j.xml.XMLLayout. The vulnerability applies to any version prior to the corrected 2.25.4 release; no specific older version range is listed.", "description_and_impact": "The Log4j1XmlLayout component fails to escape characters forbidden by XML 1.0, producing malformed XML logs. Conforming parsers reject such documents with a fatal error, causing downstream log processing to drop or fail to index these events. The defect does not provide arbitrary code execution but leads to loss of audit data, reducing the integrity of logs.", "risk_and_exploitability": "The CVSS score of 6.9 indicates medium severity, and the EPSS score of less than 1% suggests a low probability of exploitation. The CVE is not in the CISA KEV catalog. Based on the description, it is inferred that an attacker would need the ability to inject log entries containing XML\u2011forbidden characters, typically by influencing application input that is logged. No remote code execution or elevated privilege is required, so the risk of exploitation remains relatively low, but the loss of logs can impair incident response and compliance."}}}}, "created": "2026-04-13T12:44:43.077727+00:00", "updated": "2026-04-14T16:36:25.795140+00:00", "vendors": ["apache", "apache$PRODUCT$log4j"]}