Description
ACE vulnerability in conditional configuration file processing by QOS.CH logback-core up to and including version 1.5.36 in Java applications, allows an attacker to execute arbitrary code circumventing existing protections against CVE-2025-11226 by compromising an existing logback configuration file or by injecting an environment variable before program execution.



A successful attack requires the presence of Janino library to be present on the user's class path. In addition, the attacker must  have write access to a
configuration file. Alternatively, the attacker could inject a malicious
environment variable pointing to a malicious configuration file. In both
cases, the attack requires existing privilege.

Please note that in logack version 1.5.37 conditional processing using Janino was removed.
Published: 2026-06-24
Score: 7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

ACE vulnerability in conditional configuration file processing by QOS.CH Logback‑core, in versions up to 1.5.36, allows an attacker to execute arbitrary code by compromising an existing Logback configuration file or by injecting an environment variable before program execution. The vulnerability bypasses the safeguards implemented against CVE‑2025‑11226, enabling code execution through Janino, which must be present on the application's classpath. The attacker also needs write access to the configuration file or control over the environment variable, and the attack requires existing local privileges.

Affected Systems

Java applications that use QOS.CH Logback‑core 1.5.36 or earlier and have the Janino library available on the classpath, or that permit environment variables to reference external Logback configuration files, are impacted. The vulnerability is absent in Logback‑core 1.5.37 and later.

Risk and Exploitability

The CVSS score of 7 indicates a high impact on confidentiality, integrity, and availability for privileged users. The EPSS score of less than 1 % shows a low likelihood of exploitation in the wild, and the vulnerability is not cataloged in CISA’s KEV list. Expl of Janino, and either write access to a Logback configuration file or control over environment variables; the overall risk to exposed systems is moderate but remains low because of the limited attack prerequisites.

Generated by OpenCVE AI on July 14, 2026 at 21:18 UTC.

Remediation

Vendor Solution

Remove Janino from the Java classpath or update to logack version 1.5.37 or later. As of logback 1.5.20, the <condition> element with a custom PropertyEvaluator offers a recommended alternative to conditionals requiring Janino.


Vendor Workaround

Remove Janino from the Java classpath or update to logack version 1.5.37 or later. As of logback 1.5.20, the <condition> element with a custom PropertyEvaluator offers a recommended alternative to conditionals requiring Janino.


OpenCVE Recommended Actions

  • Upgrade Logback‑core to version 1.5.37 or later.
  • Remove the Janino library from the application’s classpath so the vulnerable code path cannot be exercised.
  • Restrict write access to the Logback configuration file.
  • Prevent untrusted users or processes from configuration files.
  • Use the <condition> element with a custom PropertyEvaluator introduced in Logback‑core 1.5.20 to avoid using Janino.

Generated by OpenCVE AI on July 14, 2026 at 21:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 11:45:00 +0000

Type Values Removed Values Added
Description ACE vulnerability in conditional configuration file processing by QOS.CH logback-core up to and including version 1.5.35 in Java applications, allows an attacker to execute arbitrary code circumventing existing protections against CVE-2025-11226 by compromising an existing logback configuration file or by injecting an environment variable before program execution. A successful attack requires the presence of Janino library to be present on the user's class path. In addition, the attacker must  have write access to a configuration file. Alternatively, the attacker could inject a malicious environment variable pointing to a malicious configuration file. In both cases, the attack requires existing privilege. ACE vulnerability in conditional configuration file processing by QOS.CH logback-core up to and including version 1.5.36 in Java applications, allows an attacker to execute arbitrary code circumventing existing protections against CVE-2025-11226 by compromising an existing logback configuration file or by injecting an environment variable before program execution. A successful attack requires the presence of Janino library to be present on the user's class path. In addition, the attacker must  have write access to a configuration file. Alternatively, the attacker could inject a malicious environment variable pointing to a malicious configuration file. In both cases, the attack requires existing privilege. Please note that in logack version 1.5.37 conditional processing using Janino was removed.
References

Fri, 26 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Description ACE vulnerability in conditional configuration file processing by QOS.CH logback-core up to and including version 1.5.34 in Java applications, allows an attacker to execute arbitrary code circumventing existing protections against CVE-2025-11226 by compromising an existing logback configuration file or by injecting an environment variable before program execution. A successful attack requires the presence of Janino library to be present on the user's class path. In addition, the attacker must  have write access to a configuration file. Alternatively, the attacker could inject a malicious environment variable pointing to a malicious configuration file. In both cases, the attack requires existing privilege. ACE vulnerability in conditional configuration file processing by QOS.CH logback-core up to and including version 1.5.35 in Java applications, allows an attacker to execute arbitrary code circumventing existing protections against CVE-2025-11226 by compromising an existing logback configuration file or by injecting an environment variable before program execution. A successful attack requires the presence of Janino library to be present on the user's class path. In addition, the attacker must  have write access to a configuration file. Alternatively, the attacker could inject a malicious environment variable pointing to a malicious configuration file. In both cases, the attack requires existing privilege.
References

Fri, 26 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-94
References
Metrics threat_severity

None

cvssV3_1

{'score': 6.0, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N'}

threat_severity

Moderate


Wed, 24 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Qos.ch Sarl
Qos.ch Sarl logback-core
Vendors & Products Qos.ch Sarl
Qos.ch Sarl logback-core

Wed, 24 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 24 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
Description ACE vulnerability in conditional configuration file processing by QOS.CH logback-core up to and including version 1.5.34 in Java applications, allows an attacker to execute arbitrary code circumventing existing protections against CVE-2025-11226 by compromising an existing logback configuration file or by injecting an environment variable before program execution. A successful attack requires the presence of Janino library to be present on the user's class path. In addition, the attacker must  have write access to a configuration file. Alternatively, the attacker could inject a malicious environment variable pointing to a malicious configuration file. In both cases, the attack requires existing privilege.
Title Incomplete protection against CVE-2025-11226
Weaknesses CWE-20
References
Metrics cvssV4_0

{'score': 7, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N/S:P/AU:N/RE:M/U:Green'}


Subscriptions

Qos.ch Sarl Logback-core
cve-icon MITRE

Status: PUBLISHED

Assigner: NCSC.ch

Published:

Updated: 2026-07-01T11:05:37.718Z

Reserved: 2026-06-23T14:31:36.004Z

Link: CVE-2026-13006

cve-icon Vulnrichment

Updated: 2026-06-24T12:24:24.228Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-24T05:41:32Z

Links: CVE-2026-13006 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-07-14T21:30:16Z

Weaknesses
  • CWE-20

    Improper Input Validation

  • CWE-94

    Improper Control of Generation of Code ('Code Injection')