Zero Day MonitorZDM

← Back to list

7.5

CVE-2026-34481EXPLOITEDPATCHED

apache software foundation · apache log4j json template layout

Apache Log4j JSON Template Layout: Improper serialization of non-finite floating-point values in JsonTemplateLayout

Description

Apache Log4j's JsonTemplateLayout https://logging.apache.org/log4j/2.x/manual/json-template-layout.html , in versions up to and including 2.25.3, produces invalid JSON output when log events contain non-finite floating-point values (NaN, Infinity, or -Infinity), which are prohibited by RFC 8259. This may cause downstream log processing systems to reject or fail to index affected records. An attacker can exploit this issue only if both of the following conditions are met: * The application uses JsonTemplateLayout. * The application logs a MapMessage containing an attacker-controlled floating-point value. Users are advised to upgrade to Apache Log4j JSON Template Layout 2.25.4, which corrects this issue.

Affected Products

Vendor	Product	Versions
apache software foundation	apache log4j json template layout	maven/org.apache.logging.log4j:log4j-layout-template-json: >= 2.14.0, < 2.25.4, maven/org.apache.logging.log4j:log4j-layout-template-json: >= 3.0.0-alpha1, < 3.0.0-beta3

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
maven	org.apache.logging.log4j:log4j-layout-template-json	GHSA	85%

References

https://github.com/apache/logging-log4j2/pull/4080(patch)
https://logging.apache.org/security.html#CVE-2026-34481(vendor-advisory)
https://logging.apache.org/cyclonedx/vdr.xml(vendor-advisory)
https://logging.apache.org/log4j/2.x/manual/json-template-layout.html(related)
https://lists.apache.org/thread/n34zdv00gbkdbzt2rx9rf5mqz6lhopcv(vendor-advisory)

Related News (1 articles)

Tier C

VulDB7h ago

CVE-2026-34481 | Apache Log4j JSON Template Layout up to 2.25.3/3.0.0-beta3 JsonTemplateLayout escape output

→ No new info (linked only)

CVSS 3.17.5 MEDIUM

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

org.apache.logging.log4j:log4j-layout-template-json@2.25.4org.apache.logging.log4j:log4j-layout-template-json@3.0.0-beta3

CWECWE-116

PublishedApr 10, 2026

Last enriched6h agov2

Tags

CVE-2026-34481

Trending Score41

Source articles1

Independent1

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

MEDIUMCVE-2026-34480EXP

Apache Log4j Core: Silent log event loss in XmlLayout due to unescaped XML 1.0 forbidden characters

CRITICALCVE-2026-34477EXP

Apache Log4j Core: verifyHostName attribute silently ignored in TLS configuration, allowing hostname verification bypass

NONECVE-2026-34479EXP

Apache Log4j 1 to Log4j 2 bridge: Silent log event loss in Log4j1XmlLayout due to unescaped XML 1.0 forbidden characters

CRITICALCVE-2026-29145

Apache Tomcat, Apache Tomcat Native: OCSP checks sometimes soft-fail even when soft-fail is disabled

HIGHCVE-2026-29146

Apache Tomcat: EncryptInterceptor vulnerable to padding oracle attack by default

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 10, 2026

Discovered by ZDM

Apr 10, 2026

Updated: description, severity, cvssEstimate, cweIds, activelyExploited, tags

Apr 10, 2026

Actively Exploited

Apr 10, 2026

Patch Available

Apr 10, 2026

Version History

v2

Last enriched 6h ago

v2Tier C6h ago

Updated description with new details, changed severity to HIGH, added CVSS estimate of 7.5, and included new CWE-20.

descriptionseveritycvssEstimatecweIdsactivelyExploitedtags

via VulDB

v16h ago

Initial creation