CVE-2026-34480 - Medium Severity Vulnerability
Vulnerable Library - log4j-core-2.11.2.jar
The Apache Log4j Implementation
Library home page: https://www.apache.org/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/logging/log4j/log4j-core/2.11.2/log4j-core-2.11.2.jar
Dependency Hierarchy:
- solr-velocity-8.3.1.jar (Root Library)
- ❌ log4j-core-2.11.2.jar (Vulnerable Library)
Found in HEAD commit: bada63441522c15b923cde8a080ad10d787106e1
Found in base branch: master
Vulnerability Details
Apache Log4j Core's XmlLayout https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout , in versions up to and including 2.25.3, fails to sanitize characters forbidden by the XML 1.0 specification https://www.w3.org/TR/xml/#charsets producing invalid XML output whenever a log message or MDC value contains such characters.
The impact depends on the StAX implementation in use:
- JRE built-in StAX: Forbidden characters are silently written to the output, producing malformed XML. Conforming parsers must reject such documents with a fatal error, which may cause downstream log-processing systems to drop the affected records.
- Alternative StAX implementations (e.g., Woodstox https://github.com/FasterXML/woodstox , a transitive dependency of the Jackson XML Dataformat module): An exception is thrown during the logging call, and the log event is never delivered to its intended appender, only to Log4j's internal status logger.
Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue by sanitizing forbidden characters before XML output.
Publish Date: 2026-04-10
URL: CVE-2026-34480
CVSS 3 Score Details (5.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-04-10
Fix Resolution (org.apache.logging.log4j:log4j-core): 2.25.4
Direct dependency fix Resolution (org.apache.solr:solr-velocity): 8.5.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2026-34480 - Medium Severity Vulnerability
The Apache Log4j Implementation
Library home page: https://www.apache.org/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/logging/log4j/log4j-core/2.11.2/log4j-core-2.11.2.jar
Dependency Hierarchy:
Found in HEAD commit: bada63441522c15b923cde8a080ad10d787106e1
Found in base branch: master
Apache Log4j Core's XmlLayout https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout , in versions up to and including 2.25.3, fails to sanitize characters forbidden by the XML 1.0 specification https://www.w3.org/TR/xml/#charsets producing invalid XML output whenever a log message or MDC value contains such characters.
The impact depends on the StAX implementation in use:
Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue by sanitizing forbidden characters before XML output.
Publish Date: 2026-04-10
URL: CVE-2026-34480
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Type: Upgrade version
Release Date: 2026-04-10
Fix Resolution (org.apache.logging.log4j:log4j-core): 2.25.4
Direct dependency fix Resolution (org.apache.solr:solr-velocity): 8.5.0
⛑️ Automatic Remediation will be attempted for this issue.