PT-2026-31982 · Apache · Apache Log4Net
F00Dat
·
Published
2026-04-10
·
Updated
2026-04-10
·
CVE-2026-40021
CVSS v4.0
6.3
Medium
| AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Apache Log4net versions prior to 3.3.0
Description
Apache Log4net's XmlLayout and XmlLayoutSchemaLog4J do not properly sanitize characters forbidden by the XML 1.0 specification in MDC property keys and values, as well as the identity field, which can carry attacker-influenced data. This can lead to an exception during serialization and the silent loss of log events. An attacker who can influence these fields can suppress log records, potentially impairing audit trails and hindering the detection of malicious activity.
Recommendations
Upgrade to Apache Log4net version 3.3.0 or later.
Fix
Improper Encoding or Escaping of Output
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Log4Net