CVE-2026-34480

Name of the Vulnerable Software and Affected Versions Apache Log4j Core versions up to and including 2.25.3

Description Apache Log4j Core's XmlLayout fails to sanitize characters forbidden by the XML 1.0 specification, resulting in invalid XML output when log messages or MDC values contain such characters. The impact varies depending on the StAX implementation used. With the JRE built-in StAX, forbidden characters are silently written, leading to malformed XML that may be rejected by parsers. With alternative StAX implementations like Woodstox, an exception is thrown, preventing the log event from being delivered to its intended appender.

Recommendations Upgrade to Apache Log4j Core 2.25.4 to correct this issue.