Description
Apache Log4j Core's XmlLayout https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout , in versions up to and including 2.25.3, fails to sanitize characters forbidden by the XML 1.0 specification https://www.w3.org/TR/xml/#charsets producing invalid XML output whenever a log message or MDC value contains such characters.

The impact depends on the StAX implementation in use:

* JRE built-in StAX: Forbidden characters are silently written to the output, producing malformed XML. Conforming parsers must reject such documents with a fatal error, which may cause downstream log-processing systems to drop the affected records.
* Alternative StAX implementations (e.g., Woodstox https://github.com/FasterXML/woodstox , a transitive dependency of the Jackson XML Dataformat module): An exception is thrown during the logging call, and the log event is never delivered to its intended appender, only to Log4j's internal status logger.


Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue by sanitizing forbidden characters before XML output.
Published: 2026-04-10
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Log corruption and potential loss of log event data
Action: Upgrade
AI Analysis

Impact

Apache Log4j Core's XmlLayout does not sanitize characters forbidden by the XML 1.0 specification. When log messages or MDC values contain these characters, the layout writes them unchanged or throws an exception, producing malformed XML. Conforming XML parsers then reject the document or downstream systems drop the affected log records, resulting in partial or total loss of log events and loss of audit trail evidence.

Affected Systems

The vulnerability affects Apache Log4j Core versions up to and including 2.25.3, regardless of the underlying StAX implementation. The built‑in JRE StAX results in silent corruption, while alternative StAX libraries such as Woodstox cause an exception that prevents the event from reaching its intended appender.

Risk and Exploitability

The CVSS score is 6.9, indicating a moderate impact. EPSS is below 1 %, and the vulnerability is not listed in the CISA KEV catalog, suggesting a low likelihood of exploitation. Attackers would need to supply log inputs containing forbiddable XML characters; the effect is loss of logging integrity rather than remote code execution. The risk is primarily to incident response and compliance audits where log completeness is essential.

Generated by OpenCVE AI on April 14, 2026 at 01:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Log4j Core to version 2.25.4, which sanitizes forbidden XML characters before output.
  • If an immediate upgrade is not possible, remove or replace XmlLayout with a safer layout such as PatternLayout or JSONLayout and reconfigure the logging architecture accordingly.
  • Ensure that any auxiliary StAX libraries (e.g., Woodstox) are either removed or mitigated by disabling XmlLayout when they are in use.

Generated by OpenCVE AI on April 14, 2026 at 01:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3pxv-7cmr-fjr4 Apache Log4j Core: Silent log event loss in XmlLayout due to unescaped XML 1.0 forbidden characters
History

Fri, 24 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:log4j:3.0.0:alpha1:*:*:*:*:*:*
cpe:2.3:a:apache:log4j:3.0.0:alpha1_rc1:*:*:*:*:*:*
cpe:2.3:a:apache:log4j:3.0.0:alpha1_rc2:*:*:*:*:*:*
cpe:2.3:a:apache:log4j:3.0.0:beta1:*:*:*:*:*:*
cpe:2.3:a:apache:log4j:3.0.0:beta2:*:*:*:*:*:*
cpe:2.3:a:apache:log4j:3.0.0:beta3:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Tue, 14 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-168
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

threat_severity

Moderate

Fri, 10 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
References

Fri, 10 Apr 2026 16:00:00 +0000

Type Values Removed Values Added
Description Apache Log4j Core's XmlLayout https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout , in versions up to and including 2.25.3, fails to sanitize characters forbidden by the XML 1.0 specification https://www.w3.org/TR/xml/#charsets producing invalid XML output whenever a log message or MDC value contains such characters. The impact depends on the StAX implementation in use: * JRE built-in StAX: Forbidden characters are silently written to the output, producing malformed XML. Conforming parsers must reject such documents with a fatal error, which may cause downstream log-processing systems to drop the affected records. * Alternative StAX implementations (e.g., Woodstox https://github.com/FasterXML/woodstox , a transitive dependency of the Jackson XML Dataformat module): An exception is thrown during the logging call, and the log event is never delivered to its intended appender, only to Log4j's internal status logger. Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue by sanitizing forbidden characters before XML output.
Title Apache Log4j Core: Silent log event loss in XmlLayout due to unescaped XML 1.0 forbidden characters
First Time appeared Apache
Apache log4j
Weaknesses CWE-116
CPEs cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*
Vendors & Products Apache
Apache log4j
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N'}

Subscriptions

Apache Log4j
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-04-10T17:45:07.434Z

Reserved: 2026-03-28T15:29:27.095Z

Link: CVE-2026-34480

cve-icon Vulnrichment

Updated: 2026-04-10T16:18:19.775Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-10T16:16:31.463

Modified: 2026-04-24T18:21:54.990

Link: CVE-2026-34480

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-10T15:42:03Z

Links: CVE-2026-34480 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:36:24Z

Weaknesses