Zero Day MonitorZDM

← Back to list

—

CVE-2026-34479EXPLOITEDPATCHED

apache software foundation · apache log4j 1 to log4j 2 bridge

Apache Log4j 1 to Log4j 2 bridge: Silent log event loss in Log4j1XmlLayout due to unescaped XML 1.0 forbidden characters

Description

The Log4j1XmlLayout from the Apache Log4j 1-to-Log4j 2 bridge fails to escape characters forbidden by the XML 1.0 standard, producing malformed XML output. Conforming XML parsers are required to reject documents containing such characters with a fatal error, which may cause downstream log processing systems to drop or fail to index affected records. Two groups of users are affected: * Those using Log4j1XmlLayout directly in a Log4j Core 2 configuration file. * Those using the Log4j 1 configuration compatibility layer with org.apache.log4j.xml.XMLLayout specified as the layout class. Users are advised to upgrade to Apache Log4j 1-to-Log4j 2 bridge version 2.25.4, which corrects this issue. Note: The Apache Log4j 1-to-Log4j 2 bridge is deprecated and will not be present in Log4j 3. Users are encouraged to consult the Log4j 1 to Log4j 2 migration guide https://logging.apache.org/log4j/2.x/migrate-from-log4j1.html , and specifically the section on eliminating reliance on the bridge.

Affected Products

Vendor	Product	Versions
apache software foundation	apache log4j 1 to log4j 2 bridge	2.7, 3.0.0-alpha1

References

https://github.com/apache/logging-log4j2/pull/4078(patch)
https://logging.apache.org/security.html#CVE-2026-34479(vendor-advisory)
https://logging.apache.org/cyclonedx/vdr.xml(vendor-advisory)
https://logging.apache.org/log4j/2.x/migrate-from-log4j1.html(related)
https://lists.apache.org/thread/gd0hp6mj17rn3kj279vgy4p7kd4zz5on(vendor-advisory)

Related News (2 articles)

Tier C

VulDB7h ago

CVE-2026-34479 | Apache Log4j 1 to Log4j 2 Bridge up to 2.25.3/3.0.0-beta2 Log4j1XmlLayout escape output

→ No new info (linked only)

Tier C

oss-security7h ago

CVE-2026-34479: Apache Log4j 1 to Log4j 2 bridge: Silent log event loss in Log4j1XmlLayout due to unescaped XML 1.0 forbidden characters

→ No new info (linked only)

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

2.25.4

CWECWE-116

PublishedApr 10, 2026

Last enriched6h agov3

Trending Score59

Source articles2

Independent2

Info Completeness9/14

Missing: cvss, epss, kev, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

MEDIUMCVE-2026-34480EXP

Apache Log4j Core: Silent log event loss in XmlLayout due to unescaped XML 1.0 forbidden characters

CRITICALCVE-2026-34477EXP

Apache Log4j Core: verifyHostName attribute silently ignored in TLS configuration, allowing hostname verification bypass

HIGHCVE-2026-29146

Apache Tomcat: EncryptInterceptor vulnerable to padding oracle attack by default

CRITICALCVE-2026-29145

Apache Tomcat, Apache Tomcat Native: OCSP checks sometimes soft-fail even when soft-fail is disabled

HIGHCVE-2026-24880

Apache Tomcat: Request smuggling via invalid chunk extension

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 10, 2026

Discovered by ZDM

Apr 10, 2026

Updated: affectedVersions, severity

Apr 10, 2026

Updated: affectedVersions, severity, exploitAvailable, activelyExploited

Apr 10, 2026

Actively Exploited

Apr 10, 2026

Exploit Available

Apr 10, 2026

Patch Available

Apr 10, 2026

Version History

v3

Last enriched 6h ago

v3Tier C6h ago

Updated affected versions, changed severity to MEDIUM, and marked the vulnerability as actively exploited with an available exploit.

affectedVersionsseverityexploitAvailableactivelyExploited

via oss-security

v2Tier C6h ago

Updated affected versions to include 2.25.3 and 3.0.0-beta2, changed severity to HIGH, and noted that no exploit exists.

affectedVersionsseverity

via VulDB

v16h ago

Initial creation