CVE-2026-34480
Gravedad CVSS v4.0:
MEDIA
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
10/04/2026
Última modificación:
10/04/2026
Descripción
*** Pendiente de traducción *** Apache Log4j Core&#39;s XmlLayout https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout , in versions up to and including 2.25.3, fails to sanitize characters forbidden by the XML 1.0 specification https://www.w3.org/TR/xml/#charsets producing invalid XML output whenever a log message or MDC value contains such characters.<br />
<br />
The impact depends on the StAX implementation in use:<br />
<br />
* JRE built-in StAX: Forbidden characters are silently written to the output, producing malformed XML. Conforming parsers must reject such documents with a fatal error, which may cause downstream log-processing systems to drop the affected records.<br />
* Alternative StAX implementations (e.g., Woodstox https://github.com/FasterXML/woodstox , a transitive dependency of the Jackson XML Dataformat module): An exception is thrown during the logging call, and the log event is never delivered to its intended appender, only to Log4j&#39;s internal status logger.<br />
<br />
<br />
Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue by sanitizing forbidden characters before XML output.
Impacto
Puntuación base 4.0
6.90
Gravedad 4.0
MEDIA
Referencias a soluciones, herramientas e información
- https://github.com/apache/logging-log4j2/pull/4077
- https://lists.apache.org/thread/5x0hcnng0chhghp6jgjdp3qmbbhfjzhb
- https://logging.apache.org/cyclonedx/vdr.xml
- https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout
- https://logging.apache.org/security.html#CVE-2026-34480
- http://www.openwall.com/lists/oss-security/2026/04/10/9