Log4J 2 Log4j vulnerabilities

CVE-2026-40977 [MEDIUM] CWE-59 Spring Boot: Spring Boot: Local file corruption via PID file manipulation Spring Boot: Spring Boot: Local file corruption via PID file manipulation A flaw was found in Spring Boot when an application is configured to use `ApplicationPidFileWriter`. A local attacker with write access to the PID file's location can exploit this vulnerability to corrupt one arbitrary file on the host each time the application is started. This can lead to data integrity issues or a de

CVE-2026-40970 [MEDIUM] CWE-295 Spring Boot: Spring Boot: Missing hostname verification in Elasticsearch auto-configuration allows information disclosure Spring Boot: Spring Boot: Missing hostname verification in Elasticsearch auto-configuration allows information disclosure A flaw was found in Spring Boot. When configured to use an SSL (Secure Sockets Layer) bundle, the Elasticsearch auto-configuration component does not perform hostname verification when establishing a connection to the Elast

CVE-2026-33557 [CRITICAL] CWE-303 kafka: Apache Kafka: Authentication bypass via improper JWT validation kafka: Apache Kafka: Authentication bypass via improper JWT validation A flaw was found in Apache Kafka. By default, the `sasl.oauthbearer.jwt.validator.class` property is set to `org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator`, which does not validate JSON Web Token (JWT) signatures, issuers, or audiences. A remote attacker can exploit this by crafting a malicious JWT toke

CVE-2026-35554 [HIGH] CWE-367 Apache Kafka Clients: Apache Kafka Clients: Information disclosure and data corruption due to race condition in producer buffer management Apache Kafka Clients: Apache Kafka Clients: Information disclosure and data corruption due to race condition in producer buffer management A flaw was found in the Apache Kafka Java producer client. A race condition in the client's buffer pool management can cause messages to be silently delivered to incorrect topics. This occurs