CVE-2026-40023

Name of the Vulnerable Software and Affected Versions Apache Log4cxx versions prior to 1.7.0

Description Apache Log4cxx's XMLLayout fails to sanitize characters forbidden by the XML 1.0 specification in log messages, NDC, and MDC property keys and values, resulting in invalid XML output. This can cause downstream log processing systems to drop or fail to index affected records. An attacker who can influence logged data can exploit this to suppress individual log records, potentially impairing audit trails and detection of malicious activity.

Recommendations Upgrade to Apache Log4cxx version 1.7.0.