CVE-2026-34481

>= 2.14.0 and < 2.25.4

Apache Log4j's JsonTemplateLayout https://logging.apache.org/log4j/2.x/manual/json-template-layout.html , in versions up to and i

7.5HIGH

CVE-2026-34480

>= 2.0 and < 2.25.4

Apache Log4j Core's XmlLayout https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout , in versions up to and includin

7.5HIGH

CVE-2026-34479

>= 2.7 and < 2.25.4

The Log4j1XmlLayout from the Apache Log4j 1-to-Log4j 2 bridge fails to escape characters forbidden by the XML 1.0 standard, produc

7.5HIGH

CVE-2026-34478

>= 2.21.0 and < 2.25.4

Apache Log4j Core's Rfc5424Layout https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424Layout , in versions 2.21.0 thr

7.5HIGH

CVE-2026-34477

>= 2.12.0 and < 2.25.4

The fix for CVE-2025-68161 https://logging.apache.org/security.html#CVE-2025-68161 was incomplete: it addressed hostname verific

5.9MEDIUM

CVE-2025-68161

>= 2.0.1 and < 2.25.3

The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer

4.8MEDIUM

CVE-2023-26464

>= 1.0.4 and < 2.0

UNSUPPORTED WHEN ASSIGNED When using the Chainsaw or SocketAppender components with Log4j 1.x on JRE less than 1.7, an atta

7.5HIGH

CVE-2022-23307

>= 1.2 and < 2.0

CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a compon

8.8HIGH

CVE-2022-23305

>= 1.2 and <= 1.2.17

By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted a

9.8CRITICAL

CVE-2022-23302

>= 1.0.1 and <= 1.2.17

JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the

8.8HIGH

CVE-2021-44832

>= 2.0.1 and < 2.3.2

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code

6.6MEDIUM

CVE-2021-45105

>= 2.0 and < 2.3.1

Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from sel

5.9MEDIUM

CVE-2021-45046

>= 2.0.1 and < 2.12.2

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. T

9.0CRITICAL

CVE-2021-4104

all versions

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j config

7.5HIGH

CVE-2021-44228

>= 2.0.1 and < 2.3.1

Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration

10.0CRITICAL

CVE-2020-9493

>= 1.2 and < 2.0

A deserialization flaw was found in Apache Chainsaw versions prior to 2.1.0 which could lead to malicious code execution.

9.8CRITICAL

CVE-2020-9488

>= 2.0 and < 2.3.2

Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be in

3.7LOW

CVE-2019-17571

<= 1.2.17

Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to re

9.8CRITICAL

CVE-2017-5645

>= 2.0 and < 2.8.2

In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from anot

9.8CRITICAL