CVE-2026-34480

High

Published: 10 April 2026

Published

10 April 2026

Modified

24 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS Score 0.0015 35.6th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-34480 is a high-severity Improper Encoding or Escaping of Output (CWE-116) vulnerability in Apache Log4J. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Transmitted Data Manipulation (T1565.002); ranked at the 35.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AU-5 (Response to Audit Logging Process Failures) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Transmitted Data Manipulation (T1565.002). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly requires timely identification, reporting, and correction of flaws like CVE-2026-34480 by patching Log4j Core to version 2.25.4.

AU-5 Response to Audit Logging Process Failures good match

detectrespond

Mandates alerting personnel and taking actions upon audit logging process failures, such as exceptions thrown by vulnerable XmlLayout during forbidden character processing.

SI-10 Information Input Validation partial match

prevent

Requires validation of user inputs before logging to block XML-forbidden characters that attackers inject to trigger malformed output or exceptions.

MITRE ATT&CK Enterprise TechniquesAI

T1565.002 Transmitted Data Manipulation Impact

Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity, thus threatening the integrity of the data.

attack.mitre.org →

Why these techniques?

The vulnerability allows control over log/MDC content to inject forbidden XML characters, producing malformed output that causes integrity violations or dropped records in downstream XML processing, directly enabling transmitted data manipulation.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Apache Log4j Core's XmlLayout https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout , in versions up to and including 2.25.3, fails to sanitize characters forbidden by the XML 1.0 specification https://www.w3.org/TR/xml/#charsets producing invalid XML output whenever a log message or MDC value contains such characters. The impact…

depends on the StAX implementation in use: * JRE built-in StAX: Forbidden characters are silently written to the output, producing malformed XML. Conforming parsers must reject such documents with a fatal error, which may cause downstream log-processing systems to drop the affected records. * Alternative StAX implementations (e.g., Woodstox https://github.com/FasterXML/woodstox , a transitive dependency of the Jackson XML Dataformat module): An exception is thrown during the logging call, and the log event is never delivered to its intended appender, only to Log4j's internal status logger. Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue by sanitizing forbidden characters before XML output.

Deeper analysisAI

Apache Log4j Core's XmlLayout, in versions up to and including 2.25.3, contains a vulnerability (CVE-2026-34480) where it fails to sanitize characters forbidden by the XML 1.0 specification in log messages or Mapped Diagnostic Context (MDC) values. This results in invalid XML output when such characters are present. The issue affects applications using Log4j Core with XmlLayout for logging, particularly those relying on downstream XML processing.

Attackers with the ability to control log message content or MDC values—such as through user inputs that are logged—can exploit this remotely with low complexity and no privileges required (CVSS 7.5: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N; CWE-116). Depending on the StAX implementation, exploitation produces either malformed XML that conforming parsers reject, potentially causing downstream log-processing systems to drop affected records, or throws an exception (e.g., with Woodstox, a transitive dependency of Jackson XML Dataformat), preventing delivery to the intended appender and routing only to Log4j's internal status logger. This leads to log record loss or integrity violations.

Apache advisories recommend upgrading to Log4j Core 2.25.4, which addresses the issue by sanitizing forbidden characters before XML output. Relevant resources include the official security advisory at https://logging.apache.org/security.html#CVE-2026-34480, the fixing pull request at https://github.com/apache/logging-log4j2/pull/4077, and the XmlLayout documentation at https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout.

Details

CWE(s): CWE-116

Affected Products

apache

log4j

3.0.0 · 2.0 — 2.25.4

CVEs Like This One

CVE-2026-34481Same product: Apache Log4J

CVE-2026-34478Same product: Apache Log4J

CVE-2026-34483Same vendor: Apache

CVE-2024-55532Same vendor: Apache

CVE-2025-66524Same vendor: Apache

CVE-2026-24308Same vendor: Apache

CVE-2026-30911Same vendor: Apache

CVE-2026-41602Same vendor: Apache

CVE-2025-62188Same vendor: Apache

CVE-2026-40010Same vendor: Apache

References

https://github.com/apache/logging-log4j2/pull/4077
Issue Tracking, Patch · security@apache.org
https://lists.apache.org/thread/5x0hcnng0chhghp6jgjdp3qmbbhfjzhb
Mailing List, Vendor Advisory · security@apache.org
https://logging.apache.org/cyclonedx/vdr.xml
Product · security@apache.org
https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout
Technical Description · security@apache.org
https://logging.apache.org/security.html#CVE-2026-34480
Vendor Advisory · security@apache.org
http://www.openwall.com/lists/oss-security/2026/04/10/9
Mailing List, Third Party Advisory · af854a3a-2127-422b-91ae-364da2661108