Apache Log4j vulnerabilities

CVE-2026-22741 [LOW] CWE-838 Spring MVC: Spring WebFlux: Spring MVC and Spring WebFlux: Denial of Service via cache poisoning Spring MVC: Spring WebFlux: Spring MVC and Spring WebFlux: Denial of Service via cache poisoning A flaw was found in Spring MVC and Spring WebFlux applications. A remote attacker can exploit this vulnerability by sending malicious requests to poison the resource cache with incorrectly encoded resources. This can lead to a denial of service (DoS) by disrupting the front-e

CVE-2026-40976 [CRITICAL] CWE-305 Spring Boot: Spring Boot: Security bypass due to ineffective default web security Spring Boot: Spring Boot: Security bypass due to ineffective default web security A flaw was found in Spring Boot. Under specific conditions, including being a servlet-based web application without custom Spring Security configuration and relying on the default web security filter chain, a remote attacker could bypass security. This allows unauthorized access to all application en

CVE-2026-40975 [HIGH] CWE-338 Spring Boot: Spring Boot: Weak pseudo-random number generation can lead to information disclosure. Spring Boot: Spring Boot: Weak pseudo-random number generation can lead to information disclosure. A flaw was found in Spring Boot. The `${random.value}` property source utilizes a weak pseudo-random number generator (PRNG), meaning the values it produces are not sufficiently random for use as cryptographic secrets. An attacker could potentially predict these values,

CVE-2026-40972 [HIGH] CWE-208 Spring Boot: Spring Boot: Remote code execution via timing attack in DevTools remote secret comparison Spring Boot: Spring Boot: Remote code execution via timing attack in DevTools remote secret comparison A flaw was found in Spring Boot. An attacker on the same network as the remote application may be able to utilize a timing attack to discover information about a remote secret. In extreme circumstances, this could allow the attacker to determine the secret and up

CVE-2026-40973 [HIGH] CWE-341 Spring Boot: Spring Boot: Arbitrary Code Execution and Session Hijacking via predictable temporary directory Spring Boot: Spring Boot: Arbitrary Code Execution and Session Hijacking via predictable temporary directory A flaw was found in Spring Boot. A local attacker on the same host as the application may be able to take control of the `ApplicationTemp` directory due to predictable temporary directory handling. When the `server.servlet.session.persistent` setting

CVE-2026-40971 [MEDIUM] CWE-295 Spring Boot: Spring Boot: Information disclosure and data tampering via missing hostname verification Spring Boot: Spring Boot: Information disclosure and data tampering via missing hostname verification A flaw was found in Spring Boot. When configured to use an SSL (Secure Sockets Layer) bundle, Spring Boot's RabbitMQ auto-configuration does not perform hostname verification when connecting to the RabbitMQ broker. This vulnerability could allow an attacker on th

CVE-2026-40977 [MEDIUM] CWE-59 Spring Boot: Spring Boot: Local file corruption via PID file manipulation Spring Boot: Spring Boot: Local file corruption via PID file manipulation A flaw was found in Spring Boot when an application is configured to use `ApplicationPidFileWriter`. A local attacker with write access to the PID file's location can exploit this vulnerability to corrupt one arbitrary file on the host each time the application is started. This can lead to data integrity issues or a de

CVE-2026-40974 [MEDIUM] CWE-295 Spring Boot: Cassandra: Spring Boot: Security bypass in Cassandra SSL connections Spring Boot: Cassandra: Spring Boot: Security bypass in Cassandra SSL connections A flaw was found in Spring Boot's Cassandra auto-configuration. This vulnerability allows an adjacent attacker to bypass hostname verification during SSL (Secure Sockets Layer) connection establishment to Cassandra. This could enable a man-in-the-middle attack, potentially leading to unauthorized infor

CVE-2026-40970 [MEDIUM] CWE-295 Spring Boot: Spring Boot: Missing hostname verification in Elasticsearch auto-configuration allows information disclosure Spring Boot: Spring Boot: Missing hostname verification in Elasticsearch auto-configuration allows information disclosure A flaw was found in Spring Boot. When configured to use an SSL (Secure Sockets Layer) bundle, the Elasticsearch auto-configuration component does not perform hostname verification when establishing a connection to the Elast

CVE-2026-41044 [HIGH] CWE-94 org.apache.activemq/activemq-broker: org.apache.activemq/activemq-all: Apache ActiveMQ: Arbitrary code execution via improper input validation in admin console org.apache.activemq/activemq-broker: org.apache.activemq/activemq-all: Apache ActiveMQ: Arbitrary code execution via improper input validation in admin console A flaw was found in Apache ActiveMQ. An authenticated attacker can exploit an improper input validation vulnerability in the admin web console to craf

CVE-2026-40466 [HIGH] CWE-94 org.apache.activemq/activemq-all: org.apache.activemq/activemq-broker: Apache ActiveMQ: Arbitrary code execution via improper input validation in HTTP Discovery transport org.apache.activemq/activemq-all: org.apache.activemq/activemq-broker: Apache ActiveMQ: Arbitrary code execution via improper input validation in HTTP Discovery transport A flaw was found in Apache ActiveMQ. An authenticated attacker can bypass a previous security fix by adding a connector using an

CVE-2026-33557 [CRITICAL] CWE-303 kafka: Apache Kafka: Authentication bypass via improper JWT validation kafka: Apache Kafka: Authentication bypass via improper JWT validation A flaw was found in Apache Kafka. By default, the `sasl.oauthbearer.jwt.validator.class` property is set to `org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator`, which does not validate JSON Web Token (JWT) signatures, issuers, or audiences. A remote attacker can exploit this by crafting a malicious JWT toke

CVE-2026-34477 [MEDIUM] CVE-2026-34477: The fix for CVE-2025-68161 https://logging.apache.org/security.html#CVE-2025-68161 was incomplete: The fix for CVE-2025-68161 https://logging.apache.org/security.html#CVE-2025-68161 was incomplete: it addressed hostname verification only when enabled via the log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName system property, but not when configured through the verifyHostName https://logging

CVE-2026-34480 [MEDIUM] CWE-116 CVE-2026-34480: Apache Log4j Core's XmlLayout https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout , Apache Log4j Core's XmlLayout https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout , in versions up to and including 2.25.3, fails to sanitize characters forbidden by the XML 1.0 specification https://www.w3.org/TR/xml/#charsets producing invalid XML output whenever a log message or MDC value contains such characters. The impact depend

CVE-2026-34478 [MEDIUM] CWE-117 CVE-2026-34478: Apache Log4j Core's Rfc5424Layout https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424L Apache Log4j Core's Rfc5424Layout https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424Layout , in versions 2.21.0 through 2.25.3, is vulnerable to log injection via CRLF sequences due to undocumented renames of security-relevant configuration attributes. Two distinct issues affect users of stream-based syslog services who configure Rfc5

CVE-2026-34479 [MEDIUM] CWE-116 CVE-2026-34479: The Log4j1XmlLayout from the Apache Log4j 1-to-Log4j 2 bridge fails to escape characters forbidden b The Log4j1XmlLayout from the Apache Log4j 1-to-Log4j 2 bridge fails to escape characters forbidden by the XML 1.0 standard, producing malformed XML output. Conforming XML parsers are required to reject documents containing such characters with a fatal error, which may cause downstream log processing systems to drop or fail to index affected records.

CVE-2026-34481 [MEDIUM] CWE-116 CVE-2026-34481: Apache Log4j's JsonTemplateLayout https://logging.apache.org/log4j/2.x/manual/json-template-layout. Apache Log4j's JsonTemplateLayout https://logging.apache.org/log4j/2.x/manual/json-template-layout.html , in versions up to and including 2.25.3, produces invalid JSON output when log events contain non-finite floating-point values (NaN, Infinity, or -Infinity), which are prohibited by RFC 8259. This may cause downstream log processing systems to re

CVE-2026-35554 [HIGH] CWE-367 Apache Kafka Clients: Apache Kafka Clients: Information disclosure and data corruption due to race condition in producer buffer management Apache Kafka Clients: Apache Kafka Clients: Information disclosure and data corruption due to race condition in producer buffer management A flaw was found in the Apache Kafka Java producer client. A race condition in the client's buffer pool management can cause messages to be silently delivered to incorrect topics. This occurs

CVE-2025-68161 [MEDIUM] CWE-297 CVE-2025-68161: The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS host The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName configuration attribute or the log4j2.sslVerifyHostName https://logging.apa

CVE-2023-26464 [HIGH] CWE-502 CVE-2023-26464: ** UNSUPPORTED WHEN ASSIGNED ** When using the Chainsaw or SocketAppender components with Log4j 1.x ** UNSUPPORTED WHEN ASSIGNED ** When using the Chainsaw or SocketAppender components with Log4j 1.x on JRE less than 1.7, an attacker that manages to cause a logging entry involving a specially-crafted (ie, deeply nested) hashmap or hashtable (depending on which logging component is in use) to be processed could exhaust the available memory in the vi