Apache · Apache Log4Cxx · CVE-2026-40023
Name of the Vulnerable Software and Affected Versions
Apache Log4cxx versions prior to 1.7.0
Description
Apache Log4cxx's XMLLayout fails to sanitize characters forbidden by the XML 1.0 specification in log messages, NDC, and MDC property keys and values, resulting in invalid XML output. This can cause downstream log processing systems to drop or fail to index affected records. An attacker who can influence logged data can exploit this to suppress individual log records, potentially impairing audit trails and detection of malicious activity.
Recommendations
Upgrade to Apache Log4cxx version 1.7.0.