Severity
6.9MEDIUM
EPSS
0.1%
top 69.19%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedApr 10
Latest updateApr 13
Description
Apache Log4j Core's XmlLayout https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout , in versions up to and including 2.25.3, fails to sanitize characters forbidden by the XML 1.0 specification https://www.w3.org/TR/xml/#charsets producing invalid XML output whenever a log message or MDC value contains such characters.
The impact depends on the StAX implementation in use:
* JRE built-in StAX: Forbidden characters are silently written to the output, producing malformed XML. Conform…
CVSS vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N
Affected Packages2 packages
🔴Vulnerability Details
3📋Vendor Advisories
1Red Hat▶
org.apache.logging.log4j/log4j-core: Apache Log4j Core: Invalid XML output causes denial of service in logging↗2026-04-10
💬Community
7Bugzilla▶
CVE-2026-34480 resteasy: Apache Log4j Core: Invalid XML output causes denial of service in logging [fedora-all]↗2026-04-13
Bugzilla▶
CVE-2026-34480 log4j: Apache Log4j Core: Invalid XML output causes denial of service in logging [fedora-all]↗2026-04-13
Bugzilla▶
CVE-2026-34480 apache-commons-configuration: Apache Log4j Core: Invalid XML output causes denial of service in logging [fedora-all]↗2026-04-13
Bugzilla▶
CVE-2026-34480 cldr-emoji-annotation: Apache Log4j Core: Invalid XML output causes denial of service in logging [fedora-all]↗2026-04-13
Bugzilla▶
CVE-2026-34480 ceph: Apache Log4j Core: Invalid XML output causes denial of service in logging [fedora-all]↗2026-04-13