Apache Log4Cxx vulnerabilities

CVE-2025-54813 [MEDIUM] CWE-117 CVE-2025-54813: Improper Output Neutralization for Logs vulnerability in Apache Log4cxx. When using JSONLayout, not Improper Output Neutralization for Logs vulnerability in Apache Log4cxx. When using JSONLayout, not all payload bytes are properly escaped. If an attacker-supplied message contains certain non-printable characters, these will be passed along in the message and written out as part of the JSON message. This may prevent applications that consume these

CVE-2025-54812 [LOW] CWE-117 CVE-2025-54812: Improper Output Neutralization for Logs vulnerability in Apache Log4cxx. When using HTMLLayout, lo Improper Output Neutralization for Logs vulnerability in Apache Log4cxx. When using HTMLLayout, logger names are not properly escaped when writing out to the HTML file. If untrusted data is used to retrieve the name of a logger, an attacker could theoretically inject HTML or Javascript in order to hide information from logs or steal data from the use

CVE-2023-31038 [HIGH] CWE-89 CVE-2023-31038: SQL injection in Log4cxx when using the ODBC appender to send log messages to a database.  No fields SQL injection in Log4cxx when using the ODBC appender to send log messages to a database. No fields sent to the database were properly escaped for SQL injection. This has been the case since at least version 0.9.0(released 2003-08-06) Note that Log4cxx is a C++ framework, so only C++ applications are affected. Before version 1.1.0, the ODBC appender