Apache Software Foundation Apache Log4J Core vulnerabilities
4 known vulnerabilities affecting apache_software_foundation/apache_log4j_core.
Total CVEs
4
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
MEDIUM4
Vulnerabilities
Page 1 of 1
CVE-2026-34477MEDIUMCVSS 6.3≥ 2.12.0, < 2.25.4≥ 3.0.0-alpha1, ≤ 3.0.0-beta32026-04-10
CVE-2026-34477 [MEDIUM] CWE-297 Apache Log4j Core: verifyHostName attribute silently ignored in TLS configuration, allowing hostname verification bypass
Apache Log4j Core: verifyHostName attribute silently ignored in TLS configuration, allowing hostname verification bypass
The fix for CVE-2025-68161 https://logging.apache.org/security.html#CVE-2025-68161 was incomplete: it addressed hostname verification only when enabled via the log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/man
cvelistv5
CVE-2026-34480MEDIUMCVSS 6.9≥ 2.0-alpha1, < 2.25.4≥ 3.0.0-alpha1, ≤ 3.0.0-beta32026-04-10
CVE-2026-34480 [MEDIUM] CWE-116 CVE-2026-34480: Apache Log4j Core's XmlLayout https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout ,
Apache Log4j Core's XmlLayout https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout , in versions up to and including 2.25.3, fails to sanitize characters forbidden by the XML 1.0 specification https://www.w3.org/TR/xml/#charsets producing invalid XML output whenever a log message or MDC value contains such characters.
The impact depend
cvelistv5nvd
CVE-2026-34478MEDIUMCVSS 6.9≥ 2.21.0, < 2.25.4≥ 3.0.0-beta1, ≤ 3.0.0-beta32026-04-10
CVE-2026-34478 [MEDIUM] CWE-117 CVE-2026-34478: Apache Log4j Core's Rfc5424Layout https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424L
Apache Log4j Core's Rfc5424Layout https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424Layout , in versions 2.21.0 through 2.25.3, is vulnerable to log injection via CRLF sequences due to undocumented renames of security-relevant configuration attributes.
Two distinct issues affect users of stream-based syslog services who configure Rfc5
cvelistv5nvd
CVE-2025-68161MEDIUMCVSS 6.3≥ 2.12.0, < 2.25.4≥ 3.0.0-alpha1, ≤ 3.0.0-beta32025-12-18
CVE-2025-68161 [MEDIUM] CWE-297 CVE-2025-68161: The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS host
The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName configuration attribute or the log4j2.sslVerifyHostName https://logging.apa
cvelistv5nvd