CVE Tools
Sign in

CVE-2026-34479

Apache Log4j 1 to Log4j 2 bridge: Silent log event loss in Log4j1XmlLayout due to unescaped XML 1.0 forbidden characters

Published: Apr 10, 2026Updated: May 6, 2026 Sources: CVE List NVD BDUCWE-116
NVD MITRE
7.5CVSSHIGH
EPSS Score
0.5%
Top 59.2%
CISA KEV
Not in KEV
Exploits
No Known Exploits
Remediation
Patch Available

Description

The Log4j1XmlLayout from the Apache Log4j 1-to-Log4j 2 bridge fails to escape characters forbidden by the XML 1.0 standard, producing malformed XML output. Conforming XML parsers are required to reject documents containing such characters with a fatal error, which may cause downstream log processing systems to drop or fail to index affected records. Two groups of users are affected: * Those using Log4j1XmlLayout directly in a Log4j Core 2 configuration file. * Those using the Log4j 1 configuration compatibility layer with org.apache.log4j.xml.XMLLayout specified as the layout class. Users are advised to upgrade to Apache Log4j 1-to-Log4j 2 bridge version 2.25.4, which corrects this issue. Note: The Apache Log4j 1-to-Log4j 2 bridge is deprecated and will not be present in Log4j 3. Users are encouraged to consult the Log4j 1 to Log4j 2 migration guide https://logging.apache.org/log4j/2.x/migrate-from-log4j1.html , and specifically the section on eliminating reliance on the bridge.

CVSS Vector Breakdown

AV:NAC:LPR:NUI:NS:UC:NI:HA:N
Exploitability
AV:NAttack Vector
Network
AC:LAttack Complexity
Low
PR:NPrivileges Required
None
UI:NUser Interaction
None
Scope
S:UScope
Unchanged
Impact
C:NConfidentiality
None
I:HIntegrity
High
A:NAvailability
None
Open in CVSS calculator →

Weaknesses

CWE-116

Affected Products

Apache Log4j 1 to Log4j 2 bridgeApache Software Foundation
Mixed
Web & CMS Plugins / cms-core
log4japache
LibraryLibrary
OSS Libraries / generic-library
Apache Log4j CoreApache Software Foundation
Mixed
Web & CMS Plugins / cms-core
Apache Log4j Core 2Apache Software Foundation
Mixed
Web & CMS Plugins / cms-core
apache software foundationoss-projectUSWeb & CMS Pluginsaka apache foundation
apacheoss-projectUSWeb & CMS Pluginsaka apache http server, apache httpd

Exploitability

Official Patch Available
Workaround Available

References

https://github.com/apache/logging-log4j2/pull/4078
github.com
https://logging.apache.org/security.html#CVE-2026-34479
logging.apache.org
https://logging.apache.org/cyclonedx/vdr.xml
logging.apache.org
and 5 more references View all →

Timeline

Published
Apr 10, 2026
Last Updated
May 6, 2026

Unlock Complete Vulnerability Intelligence

Get the full picture for CVE-2026-34479 and every CVE in our database. Create a free account — no credit card required.

Create Free Account
Plain-language analysis
Impact assessment and exploitation scenario in plain English
Attack graph visualization
Interactive attack path and kill chain mapping
Exploit details & PoC links
ExploitDB, Metasploit, GitHub PoCs with direct links
Nuclei scanner templates
Ready-to-use vulnerability scanner templates
Full remediation guide
Patch instructions, workarounds, and compliance impact
Interactive AI chat
Ask questions about this vulnerability in natural language
Related vulnerabilities
Semantically similar CVEs and attack patterns
REST API & MCP access
Integrate vulnerability data into your workflows