Apache log4j

This hub aggregates every CVE we track for Apache log4j, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Apache log4j.

• CVE-2026-34481Apache Log4j JSON Template Layout: Improper serialization of non-finite floating-point values in JsonTemplateLayout7.5Apr 10, 2026
• CVE-2026-34480Apache Log4j Core: Silent log event loss in XmlLayout due to unescaped XML 1.0 forbidden characters7.5Apr 10, 2026
• CVE-2026-34479Apache Log4j 1 to Log4j 2 bridge: Silent log event loss in Log4j1XmlLayout due to unescaped XML 1.0 forbidden characters7.5Apr 10, 2026
• CVE-2026-34478Apache Log4j Core: Log injection in Rfc5424Layout due to silent configuration incompatibility7.5Apr 10, 2026
• CVE-2026-34477Apache Log4j Core: verifyHostName attribute silently ignored in TLS configuration, allowing hostname verification bypass5.9Apr 10, 2026
• CVE-2025-68161Apache Log4j Core: Missing TLS hostname verification in Socket appender4.8Dec 18, 2025
• CVE-2023-26464Apache Log4j 1.x (EOL) allows DoS in Chainsaw and SocketAppender7.5Mar 10, 2023
• CVE-2022-0070Log4j hot patch package privilege escalation8.8Apr 19, 2022
• CVE-2021-3100Log4j hot patch package privilege escalation8.8Apr 19, 2022
• CVE-2022-23307A deserialization flaw in the Chainsaw component of Log4j 1 can lead to malicious code execution.8.8Jan 18, 2022
• CVE-2022-23305SQL injection in JDBC Appender in Apache Log4j V19.8Jan 18, 2022
• CVE-2022-23302Deserialization of untrusted data in JMSSink in Apache Log4j 1.x8.8Jan 18, 2022
• CVE-2021-44832Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration6.6Dec 28, 2021
• CVE-2021-45105Apache Log4j2 does not always protect from infinite recursion in lookup evaluation5.9Dec 18, 2021
• CVE-2021-45046Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attackKEV9.0Dec 14, 2021