Zero Day MonitorZDM

← Back to list

—

CVE-2026-40023EXPLOITEDPATCHED

apache software foundation · apache log4cxx

Apache Log4cxx, Apache Log4cxx (Conan), Apache Log4cxx (Brew): Silent log event loss in XMLLayout due to unescaped XML 1.0 forbidden characters

Description

Apache Log4cxx's XMLLayout https://logging.apache.org/log4cxx/1.7.0/classlog4cxx_1_1xml_1_1XMLLayout.html , in versions before 1.7.0, fails to sanitize characters forbidden by the XML 1.0 specification https://www.w3.org/TR/xml/#charsets in log messages, NDC, and MDC property keys and values, producing invalid XML output. Conforming XML parsers must reject such documents with a fatal error, which may cause downstream log processing systems to drop or fail to index affected records. An attacker who can influence logged data can exploit this to suppress individual log records, impairing audit trails and detection of malicious activity. Users are advised to upgrade to Apache Log4cxx 1.7.0, which fixes this issue.

Affected Products

Vendor	Product	Versions
apache software foundation	apache log4cxx	0, 0, 0

References

https://github.com/apache/logging-log4cxx/pull/609(patch)
https://logging.apache.org/security.html#CVE-2026-40023(vendor-advisory)
https://logging.apache.org/cyclonedx/vdr.xml(vendor-advisory)
https://logging.apache.org/log4cxx/1.7.0/classlog4cxx_1_1xml_1_1XMLLayout.html(related)
https://lists.apache.org/thread/y15cv3zblg3dfwr5vy6ddbnl4zyrzr8b(vendor-advisory)

Related News (1 articles)

Tier C

VulDB5h ago

CVE-2026-40023 | Apache Log4cxx up to 1.6.x escape output

→ No new info (linked only)

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

1.7.0

CWECWE-116

PublishedApr 10, 2026

Last enriched4h agov2

Trending Score39

Source articles1

Independent1

Info Completeness8/14

Missing: cvss, epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

NONECVE-2026-34480EXP

Apache Log4j Core: Silent log event loss in XmlLayout due to unescaped XML 1.0 forbidden characters

CRITICALCVE-2026-34477EXP

Apache Log4j Core: verifyHostName attribute silently ignored in TLS configuration, allowing hostname verification bypass

NONECVE-2026-34479EXP

Apache Log4j 1 to Log4j 2 bridge: Silent log event loss in Log4j1XmlLayout due to unescaped XML 1.0 forbidden characters

NONECVE-2026-29146

Apache Tomcat: EncryptInterceptor vulnerable to padding oracle attack by default

NONECVE-2026-24880

Apache Tomcat: Request smuggling via invalid chunk extension

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 10, 2026

Discovered by ZDM

Apr 10, 2026

Updated: affectedVersions, severity, activelyExploited

Apr 10, 2026

Actively Exploited

Apr 10, 2026

Patch Available

Apr 10, 2026

Version History

v2

Last enriched 4h ago

v2Tier C4h ago

Updated affected versions to include 1.6.x and changed severity to HIGH, with the vulnerability now actively exploited.

affectedVersionsseverityactivelyExploited

via VulDB

v14h ago

Initial creation