VYPR

Logging Log4j2

by Apache

Source repositories

CVEs (3)

  • CVE-2026-34479HigApr 10, 2026
    risk 0.42cvss 7.5epss 0.01

    The Log4j1XmlLayout from the Apache Log4j 1-to-Log4j 2 bridge fails to escape characters forbidden by the XML 1.0 standard, producing malformed XML output. Conforming XML parsers are required to reject documents containing such characters with a fatal error, which may cause…

  • CVE-2026-34477MedApr 10, 2026
    risk 0.31cvss 5.9epss 0.00

    The fix for CVE-2025-68161 https://logging.apache.org/security.html#CVE-2025-68161 was incomplete: it addressed hostname verification only when enabled via the log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName …

  • CVE-2025-68161Dec 18, 2025
    risk 0.00cvss epss 0.01

    The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName …