VYPR
Low severityGHSA Advisory· Published Jan 22, 2026· Updated Apr 15, 2026

CVE-2026-1225

CVE-2026-1225

Description

ACE vulnerability in configuration file processing by QOS.CH logback-core up to and including version 1.5.24 in Java applications, allows an attacker to instantiate classes already present on the class path by compromising an existing logback configuration file.

The instantiation of a potentially malicious Java class requires that said class is present on the user's class-path. In addition, the attacker must have write access to a configuration file. However, after successful instantiation, the instance is very likely to be discarded with no further ado.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
ch.qos.logback:logback-coreMaven
< 1.5.251.5.25

Affected products

158

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.