Zero Day MonitorZDM

← Back to list

7.5

CVE-2026-34481EXPLOITEDPATCHED

apache software foundation · apache log4j json template layout

Apache Log4j JSON Template Layout: Improper serialization of non-finite floating-point values in JsonTemplateLayout

Description

Apache Log4j's JsonTemplateLayout https://logging.apache.org/log4j/2.x/manual/json-template-layout.html , in versions up to and including 2.25.3, produces invalid JSON output when log events contain non-finite floating-point values (NaN, Infinity, or -Infinity), which are prohibited by RFC 8259. This may cause downstream log processing systems to reject or fail to index affected records. An attacker can exploit this issue only if both of the following conditions are met: * The application uses JsonTemplateLayout. * The application logs a MapMessage containing an attacker-controlled floating-point value. Users are advised to upgrade to Apache Log4j JSON Template Layout 2.25.4, which corrects this issue.

Affected Products

Vendor	Product	Versions
apache software foundation	apache log4j json template layout	2.14.0, 3.0.0-alpha1

References

https://github.com/apache/logging-log4j2/pull/4080(patch)
https://logging.apache.org/security.html#CVE-2026-34481(vendor-advisory)
https://logging.apache.org/cyclonedx/vdr.xml(vendor-advisory)
https://logging.apache.org/log4j/2.x/manual/json-template-layout.html(related)
https://lists.apache.org/thread/n34zdv00gbkdbzt2rx9rf5mqz6lhopcv(vendor-advisory)

Related News (1 articles)

Tier C

VulDB5h ago

CVE-2026-34481 | Apache Log4j JSON Template Layout up to 2.25.3/3.0.0-beta3 JsonTemplateLayout escape output

→ No new info (linked only)

CVSS 3.17.5 NONE

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

2.25.4

CWECWE-116

PublishedApr 10, 2026

Last enriched4h agov2

Tags

CVE-2026-34481

Trending Score39

Source articles1

Independent1

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

NONECVE-2026-34480EXP

Apache Log4j Core: Silent log event loss in XmlLayout due to unescaped XML 1.0 forbidden characters

CRITICALCVE-2026-34477EXP

Apache Log4j Core: verifyHostName attribute silently ignored in TLS configuration, allowing hostname verification bypass

NONECVE-2026-34479EXP

Apache Log4j 1 to Log4j 2 bridge: Silent log event loss in Log4j1XmlLayout due to unescaped XML 1.0 forbidden characters

NONECVE-2026-29146

Apache Tomcat: EncryptInterceptor vulnerable to padding oracle attack by default

NONECVE-2026-24880

Apache Tomcat: Request smuggling via invalid chunk extension

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 10, 2026

Discovered by ZDM

Apr 10, 2026

Updated: description, severity, cvssEstimate, cweIds, activelyExploited, tags

Apr 10, 2026

Actively Exploited

Apr 10, 2026

Patch Available

Apr 10, 2026

Version History

v2

Last enriched 4h ago

v2Tier C4h ago

Updated description with new details, changed severity to HIGH, added CVSS estimate of 7.5, and included new CWE-20.

descriptionseveritycvssEstimatecweIdsactivelyExploitedtags

via VulDB

v14h ago

Initial creation