High severity7.5NVD Advisory· Published Apr 10, 2026· Updated May 6, 2026

CVE-2026-34479

Description

The Log4j1XmlLayout from the Apache Log4j 1-to-Log4j 2 bridge fails to escape characters forbidden by the XML 1.0 standard, producing malformed XML output. Conforming XML parsers are required to reject documents containing such characters with a fatal error, which may cause downstream log processing systems to drop or fail to index affected records.

Two groups of users are affected:

Those using Log4j1XmlLayout directly in a Log4j Core 2 configuration file.
Those using the Log4j 1 configuration compatibility layer with org.apache.log4j.xml.XMLLayout specified as the layout class.

Users are advised to upgrade to Apache Log4j 1-to-Log4j 2 bridge version 2.25.4, which corrects this issue.

Note: The Apache Log4j 1-to-Log4j 2 bridge is deprecated and will not be present in Log4j 3. Users are encouraged to consult the Log4j 1 to Log4j 2 migration guide https://logging.apache.org/log4j/2.x/migrate-from-log4j1.html , and specifically the section on eliminating reliance on the bridge.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.apache.logging.log4j:log4j-1.2-apiMaven	>= 2.7, < 2.25.4	2.25.4
org.apache.logging.log4j:log4j-1.2-apiMaven	>= 3.0.0-beta1, <= 3.0.0-beta2	—

Affected products

Apache/Logging Log4j2references
Apache/Log4j6 versions
cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*+ 5 more
- cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*range: >=2.7,<2.25.4
- cpe:2.3:a:apache:log4j:3.0.0:alpha1:*:*:*:*:*:*
- cpe:2.3:a:apache:log4j:3.0.0:alpha1_rc1:*:*:*:*:*:*
- cpe:2.3:a:apache:log4j:3.0.0:alpha1_rc2:*:*:*:*:*:*
- cpe:2.3:a:apache:log4j:3.0.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:apache:log4j:3.0.0:beta2:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/apache/logging-log4j2/pull/4078nvdExploitIssue TrackingPatchWEB
github.com/advisories/GHSA-h383-gmxw-35v2ghsaADVISORY
logging.apache.org/cyclonedx/vdr.xmlnvdVendor AdvisoryWEB
logging.apache.org/security.htmlnvdVendor AdvisoryWEB
nvd.nist.gov/vuln/detail/CVE-2026-34479ghsaADVISORY
www.openwall.com/lists/oss-security/2026/04/10/8nvdMailing ListWEB
lists.apache.org/thread/gd0hp6mj17rn3kj279vgy4p7kd4zz5onnvdMailing ListWEB
logging.apache.org/log4j/2.x/migrate-from-log4j1.htmlnvdMitigationWEB

News mentions

No linked articles in our index yet.

Severity

HighCVSS v3.1

7.5/ 10

CVSS v46.9

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack vector: Network
Complexity: Low
Privileges: None
User interaction: None
Scope: Unchanged
Confidentiality: None
Integrity: High
Availability: None

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

Probability of exploitation in the next 30 days.

0.17%

VYPR risk score

Composite of severity, exploitation, and reach.

0.49medium

cvss	0.488
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000

Weaknesses

CWE-116
Improper Encoding or Escaping of Output

CVE ID

CVE-2026-34479

Source code

github.com/apache/logging-log4j2

Credits

A(
Ap4sh (Samy Medjahed) and Ethicxz (Eliott Laurie) (original reporters)
finder
J(
jabaltarik1 (independently)
finder
P
ppkarwasz
analyst · ghsa