VYPR

Log4cxx

by Apache

Source repositories

CVEs (4)

  • CVE-2026-40023MedApr 10, 2026
    risk 0.27cvss 5.3epss 0.01

    Apache Log4cxx's XMLLayout https://logging.apache.org/log4cxx/1.7.0/classlog4cxx_1_1xml_1_1XMLLayout.html , in versions before 1.7.0, fails to sanitize characters forbidden by the XML 1.0 specification https://www.w3.org/TR/xml/#charsets in log messages, NDC, and MDC property…

  • CVE-2025-54812Aug 22, 2025
    risk 0.00cvss epss 0.01

    Improper Output Neutralization for Logs vulnerability in Apache Log4cxx. When using HTMLLayout, logger names are not properly escaped when writing out to the HTML file. If untrusted data is used to retrieve the name of a logger, an attacker could theoretically inject HTML or…

  • CVE-2025-54813Aug 22, 2025
    risk 0.00cvss epss 0.01

    Improper Output Neutralization for Logs vulnerability in Apache Log4cxx. When using JSONLayout, not all payload bytes are properly escaped. If an attacker-supplied message contains certain non-printable characters, these will be passed along in the message and written out as…

  • CVE-2023-31038May 8, 2023
    risk 0.00cvss epss 0.02

    SQL injection in Log4cxx when using the ODBC appender to send log messages to a database.  No fields sent to the database were properly escaped for SQL injection.  This has been the case since at least version 0.9.0(released 2003-08-06) Note that Log4cxx is a C++…