CVE-2026-40023
Severity CVSS v4.0:
MEDIUM
Type:
Unavailable / Other
Publication date:
10/04/2026
Last modified:
10/04/2026
Description
Apache Log4cxx&#39;s XMLLayout https://logging.apache.org/log4cxx/1.7.0/classlog4cxx_1_1xml_1_1XMLLayout.html , in versions before 1.7.0, fails to sanitize characters forbidden by the XML 1.0 specification https://www.w3.org/TR/xml/#charsets in log messages, NDC, and MDC property keys and values, producing invalid XML output. Conforming XML parsers must reject such documents with a fatal error, which may cause downstream log processing systems to drop or fail to index affected records.<br />
<br />
An attacker who can influence logged data can exploit this to suppress individual log records, impairing audit trails and detection of malicious activity.<br />
<br />
Users are advised to upgrade to Apache Log4cxx 1.7.0, which fixes this issue.
Impact
Base Score 4.0
6.30
Severity 4.0
MEDIUM
References to Advisories, Solutions, and Tools
- https://github.com/apache/logging-log4cxx/pull/609
- https://lists.apache.org/thread/y15cv3zblg3dfwr5vy6ddbnl4zyrzr8b
- https://logging.apache.org/cyclonedx/vdr.xml
- https://logging.apache.org/log4cxx/1.7.0/classlog4cxx_1_1xml_1_1XMLLayout.html
- https://logging.apache.org/security.html#CVE-2026-40023
- http://www.openwall.com/lists/oss-security/2026/04/10/12