Org.apache.logging.log4j:log4j-core
This hub aggregates every CVE we track for Org.apache.logging.log4j:log4j-core, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.
8
CVEs tracked
3
Critical
1
High
2
In CISA KEV
Severity distribution
MEDIUM3CRITICAL3LOW1HIGH1
Monthly trend
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
2024-072026-06
Latest CVEs
The 8 most recently published vulnerabilities affecting Org.apache.logging.log4j:log4j-core.
- CVE-2025-68161Apache Log4j Core: Missing TLS hostname verification in Socket appender4.8
- CVE-2023-26464Apache Log4j 1.x (EOL) allows DoS in Chainsaw and SocketAppender7.5
- CVE-2021-44832Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration6.6
- CVE-2021-45105Apache Log4j2 does not always protect from infinite recursion in lookup evaluation5.9
- CVE-2021-45046Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attackKEV9.0
- CVE-2021-44228Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpointsKEV10.0
- CVE-2020-9488Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log me...3.7
- CVE-2017-5645In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent tha...9.8
Product normalization is registry-driven with AI assist and human review. How it works