Posted by Piotr Karwasz on Apr 10Severity: moderate Affected versions: - Apache Log4j Core (org.apache.logging.log4j:log4j-core) 2.0-alpha1 before 2.25.4 - Apache Log4j Core (org.apache.logging.log4j:log4j-core) 3.0.0-alpha1 through 3.0.0-beta3 Descriptio…
CVE-2026-34480: Apache Log4j Core: Silent log event loss in XmlLayout due to unescaped XML 1.0 forbidden characters
Apache Log4j Core versions 2.0-alpha1 to 2.25.3 and 3.0.0-alpha1 to 3.0.0-beta3 are vulnerable to CVE-2026-34480, where unescaped XML 1.0 forbidden characters in XmlLayout cause silent log event loss. This flaw affects applications using these Log4j versions for XML-based logging, potentially leading to undetected data corruption or incomplete logging, without immediate failure warnings.