CVE-2025-54812

Name of the Vulnerable Software and Affected Versions: Apache Log4cxx versions prior to 1.5.0

Description: Apache Log4cxx contains an Improper Output Neutralization for Logs issue. When using HTMLLayout, logger names are not properly escaped when writing to an HTML file. If untrusted data is used to retrieve the name of a logger, an attacker could inject HTML or Javascript, potentially leading to cross-site scripting (XSS) when a user opens the generated HTML log file in their browser. This requires the following sequence: Log4cxx is configured to use HTMLLayout, the logger name comes from an untrusted string, a logger with the compromised name logs a message, and a user opens the generated HTML log file.

Recommendations: Upgrade to version 1.5.0.