2026-04-10T11:53:17Z Apache Logging Services https://logging.apache.org Log4cxx cpe:2.3:a:apache:log4cxx:*:*:*:*:*:*:*:* Log4cxx pkg:conan/log4cxx org.apache.logging.log4j log4j-core cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:* pkg:maven/org.apache.logging.log4j/log4j-core?type=jar org.apache.logging.log4j log4j-1.2-api cpe:2.3:a:apache:log4j_1_2_api:*:*:*:*:*:*:*:* pkg:maven/org.apache.logging.log4j/log4j-1.2-api?type=jar org.apache.logging.log4j log4j-layout-template-json cpe:2.3:a:apache:log4j_layout_template_json:*:*:*:*:*:*:*:* pkg:maven/org.apache.logging.log4j/log4j-layout-template-json?type=jar Log4net cpe:2.3:a:apache:log4net:*:*:*:*:*:*:*:* pkg:nuget/log4net CVE-2026-40023 NVD https://nvd.nist.gov/vuln/detail/CVE-2026-40023 The Apache Software Foundation 6.3 medium CVSSv4 AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N 116 2026-04-10T11:53:17Z 2026-04-10T11:53:17Z 2026-04-10T11:53:17Z Olawale Titiloye log4cxx =0|<1.7.0]]> log4cxx-conan =0|<1.7.0]]> CVE-2026-40021 NVD https://nvd.nist.gov/vuln/detail/CVE-2026-40021 The Apache Software Foundation 6.3 medium CVSSv4 AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N 116 2026-04-10T11:53:17Z 2026-04-10T11:53:17Z 2026-04-10T11:53:17Z f00dat log4net =0|<3.3.0]]> CVE-2026-34481 NVD https://nvd.nist.gov/vuln/detail/CVE-2026-34481 The Apache Software Foundation 6.3 medium CVSSv4 AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N 116 2026-04-10T11:53:17Z 2026-04-10T11:53:17Z 2026-04-10T11:53:17Z Ap4sh (Samy Medjahed) Ethicxz (Eliott Laurie) log4j-layout-template-json =2.14.0|<2.25.4]]> =3.0.0-alpha1|<=3.0.0-beta3]]> CVE-2026-34480 NVD https://nvd.nist.gov/vuln/detail/CVE-2026-34480 The Apache Software Foundation 6.9 medium CVSSv4 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N 116 2026-04-10T11:53:17Z 2026-04-10T11:53:17Z 2026-04-10T11:53:17Z Ap4sh (Samy Medjahed) Ethicxz (Eliott Laurie) jabaltarik1 log4j-core =2.0-alpha1|<2.25.4]]> =3.0.0-alpha1|<=3.0.0-beta3]]> CVE-2026-34479 NVD https://nvd.nist.gov/vuln/detail/CVE-2026-34479 The Apache Software Foundation 6.9 medium CVSSv4 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N 116 2026-04-10T11:53:17Z 2026-04-10T11:53:17Z 2026-04-10T11:53:17Z Ap4sh (Samy Medjahed) Ethicxz (Eliott Laurie) jabaltarik1 log4j-1.2-api =2.7|<2.25.4]]> =3.0.0-alpha1|<=3.0.0-beta2]]> CVE-2026-34478 NVD https://nvd.nist.gov/vuln/detail/CVE-2026-34478 The Apache Software Foundation 6.9 medium CVSSv4 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N 684 117 2026-04-10T11:53:17Z 2026-04-10T11:53:17Z 2026-04-10T11:53:17Z Samuli Leinonen log4j-core =2.21.0|<2.25.4]]> =3.0.0-beta1|<=3.0.0-beta3]]> CVE-2026-34477 NVD https://nvd.nist.gov/vuln/detail/CVE-2026-34477 The Apache Software Foundation 6.3 medium CVSSv4 AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:N 297 ` element. Although the `verifyHostName` configuration attribute was introduced in Log4j Core 2.12.0, it was silently ignored in all versions through 2.25.3, leaving TLS connections vulnerable to interception regardless of the configured value. A network-based attacker may be able to perform a man-in-the-middle attack when *all* of the following conditions are met: * An SMTP, Socket, or Syslog appender is in use. * TLS is configured via a nested `` element. * The attacker can present a certificate issued by a CA trusted by the appender's configured trust store, or by the default Java trust store if none is configured. This issue does not affect users of the HTTP appender, which uses a separate https://logging.apache.org/log4j/2.x/manual/appenders/network.html#HttpAppender-attr-verifyHostName[`verifyHostname`] attribute that was not subject to this bug and verifies host names by default.]]> 2026-04-10T11:53:17Z 2026-04-10T11:53:17Z 2026-04-10T11:53:17Z Samuli Leinonen Naresh Kandula Vitaly Simonovich Raijuna Danish Siddiqui Markus Magnuson Haruki Oyama log4j-core =2.12.0|<2.25.4]]> =3.0.0-alpha1|<=3.0.0-beta3]]> CVE-2025-68161 NVD https://nvd.nist.gov/vuln/detail/CVE-2025-68161 The Apache Software Foundation 6.3 medium CVSSv4 AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:N 297 2025-12-18T16:09:38Z 2025-12-18T16:09:38Z 2025-12-18T16:09:38Z log4j-core =2.0-beta9|<2.25.3]]> CVE-2025-54813 NVD https://nvd.nist.gov/vuln/detail/CVE-2025-54813 NVD https://nvd.nist.gov/vuln-metrics/cvss/v4-calculator?vector=AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N 6.3 medium CVSSv4 AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N 117 2025-08-22T07:31:10Z 2025-08-22T07:31:10Z 2026-04-10T11:53:17Z Sovereign Tech Agency https://www.sovereign.tech/ log4cxx =0.11.0|<1.5.0]]> log4cxx-conan =0.11.0|<1.5.0]]> CVE-2025-54812 NVD https://nvd.nist.gov/vuln/detail/CVE-2025-54812 NVD https://nvd.nist.gov/vuln-metrics/cvss/v4-calculator?vector=AV:N/AC:H/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N 2.1 low CVSSv4 AV:N/AC:H/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N 117 2025-08-22T07:31:10Z 2025-08-22T07:31:10Z 2026-04-10T11:53:17Z Sovereign Tech Agency https://www.sovereign.tech/ log4cxx log4cxx-conan CVE-2021-44832 NVD https://nvd.nist.gov/vuln/detail/CVE-2021-44832 NVD 6.6 medium CVSSv3 AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H 20 74 2021-12-28T00:00:00Z 2021-12-28T00:00:00Z 2025-08-17T11:18:06Z log4j-core =2.0-beta7|<2.3.1]]> =2.4|<2.12.3]]> =2.13.0|<2.17.0]]> CVE-2021-45105 NVD https://nvd.nist.gov/vuln/detail/CVE-2021-45105 LOG4J2-3230 Issue tracker https://issues.apache.org/jira/browse/LOG4J2-3230 NVD 5.9 medium CVSSv3 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H 20 674 2021-12-18T00:00:00Z 2021-12-18T00:00:00Z 2022-10-06T00:00:00Z Hideki Okamoto Guy Lederfein log4j-core =2.0-alpha1|<2.3.1]]> =2.4|<2.12.3]]> =2.13.0|<2.17.0]]> CVE-2021-45046 NVD https://nvd.nist.gov/vuln/detail/CVE-2021-45046 LOG4J2-3221 Issue tracker https://issues.apache.org/jira/browse/LOG4J2-3221 NVD 9.0 critical CVSSv3 AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H 917 2021-12-14T00:00:00Z 2021-12-14T00:00:00Z 2025-08-17T11:18:06Z Kai Mindermann 4ra1n Ash Fox Alvaro Muñoz Tony Torralba Anthony Weems RyotaK log4j-core =2.0-beta9|<2.3.1]]> =2.4|<2.12.3]]> =2.13.0|<2.16.0]]> CVE-2021-44228 NVD https://nvd.nist.gov/vuln/detail/CVE-2021-44228 LOG4J2-3198 Issue tracker https://issues.apache.org/jira/browse/LOG4J2-3198 LOG4J2-3201 Issue tracker https://issues.apache.org/jira/browse/LOG4J2-3201 NVD 10.0 critical CVSSv3 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H 20 400 502 917 2021-12-10T00:00:00Z 2021-12-10T00:00:00Z 2025-08-17T11:18:06Z Chen Zhaojun log4j-core =2.0-beta9|<2.3.1]]> =2.4|<2.12.2]]> =2.13.0|<2.15.0]]> CVE-2020-9488 NVD https://nvd.nist.gov/vuln/detail/CVE-2020-9488 LOG4J2-2819 Issue tracker https://issues.apache.org/jira/browse/LOG4J2-2819 NVD 3.7 low CVSSv3 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N 295 2017-04-27T00:00:00Z 2017-04-27T00:00:00Z 2025-08-17T11:18:06Z Peter Stöckli log4j-core =2.0-beta1|<2.3.2]]> =2.4|<2.12.3]]> =2.13.0|<2.13.2]]> CVE-2018-1285 NVD https://nvd.nist.gov/vuln/detail/CVE-2018-1285 LOG4NET-575 Issue tracker https://issues.apache.org/jira/browse/LOG4NET-575 Security fix commit Source code repository https://github.com/apache/logging-log4net/commit/3242db510c27e825af7164415402f5012df521a2 Pull request Pull request that fixes the issue https://github.com/apache/logging-log4net/pull/64 NVD 9.8 high CVSSv3 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 611 not_affected protected_by_mitigating_control 2020-05-11T00:00:00Z 2020-05-11T00:00:00Z 2026-04-17T00:00:00Z Karthik Kumar Balasundaram log4net =0|<2.0.10]]> CVE-2017-5645 NVD https://nvd.nist.gov/vuln/detail/CVE-2017-5645 LOG4J2-1863 Issue tracker https://issues.apache.org/jira/browse/LOG4J2-1863 the security fix commit Source code repository https://github.com/apache/logging-log4j2/commit/5dcc192 NVD 7.5 high CVSSv2 AV:N/AC:L/Au:N/C:P/I:P/A:P 502 2017-04-17T00:00:00Z 2017-04-17T00:00:00Z 2022-04-04T00:00:00Z Marcio Almeida de Macedo log4j-core =2.0-alpha1|<2.8.2]]>