PT-2026-31941 · Apache · Log4J 1-To-Log4J 2 Bridge
Ap4Sh
+1
·
Published
2026-02-16
·
Updated
2026-05-27
·
CVE-2026-34479
CVSS v2.0
7.8
High
| Vector | AV:N/AC:L/Au:N/C:N/I:C/A:N |
Name of the Vulnerable Software and Affected Versions
Apache Log4j 1-to-Log4j 2 bridge versions prior to 2.25.4
Description
The
Log4j1XmlLayout component fails to escape characters forbidden by the XML 1.0 standard, resulting in malformed XML output. Because conforming XML parsers must reject documents containing these characters with a fatal error, downstream log processing systems may drop or fail to index the affected records. This issue affects users employing Log4j1XmlLayout directly in a Log4j Core 2 configuration file or those using the Log4j 1 configuration compatibility layer with org.apache.log4j.xml.XMLLayout specified as the layout class.Recommendations
Upgrade to Apache Log4j 1-to-Log4j 2 bridge version 2.25.4.
Fix
Improper Encoding or Escaping of Output
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Log4J 1-To-Log4J 2 Bridge