CVE-2026-34480: Apache Log4j Core: Silent log event loss in XmlLayout due to unescaped XML 1.0 forbidden characters
Published Apr 10, 2026
·Updated
Apache Log4j Core's XmlLayout
Affected Software
11 affected componentsFixes available
maven/org.apache.logging.log4j:log4j-core>=3.0.0-alpha1<3.0.0-beta3
3.0.0-beta3
maven/org.apache.logging.log4j:log4j-core>=2.0-alpha1<2.25.4
2.25.4
maven/org.apache.logging.log4j:log4j-core>=3.0.0-alpha1<=3.0.0-beta3
Apache Log4j>=2.0<2.25.4
Apache Log4j=3.0.0-alpha1
Apache Log4j=3.0.0-alpha1_rc1
Apache Log4j=3.0.0-alpha1_rc2
Apache Log4j=3.0.0-beta1
Apache Log4j=3.0.0-beta2
Apache Log4j=3.0.0-beta3
IBM watsonx.data<=2.2- 2.3.1
Remediation
Patch Available
Event History
Apr 10, 2026
CVE Published
via MITRE·03:42 PM
Data Sourced
via MITRE·03:42 PM
DescriptionWeakness
Data Sourced
via NVD·04:16 PM
DescriptionSeverityWeakness
Data Sourced
via NVD·04:16 PM
RemedyAffected Software
Advisory Published
via GitHub·06:31 PM
Data Sourced
via GitHub·06:31 PM
DescriptionWeaknessAffected Software
May 9, 2026
Data Sourced
via IBM·12:00 AM
DescriptionAffected Software
Frequently Asked Questions
1
What is the severity of CVE-2026-34480?
The severity of CVE-2026-34480 is classified as important due to its potential to cause silent log event loss.
2
How do I fix CVE-2026-34480?
To fix CVE-2026-34480, upgrade to version 2.25.4 or later, or to 3.0.0-beta3.
3
What versions are affected by CVE-2026-34480?
CVE-2026-34480 affects Apache Log4j Core versions up to and including 2.25.3.
4
What is the impact of CVE-2026-34480?
The impact of CVE-2026-34480 is the silent loss of log events due to unescaped forbidden XML characters.
5
Is there a workaround for CVE-2026-34480?
There is no documented workaround for CVE-2026-34480; upgrading to a patched version is recommended.