| CVE-2021-44228 |
critical |
— |
10.0 |
|
|
|
5y ago |
Apache Log4j2 contains a vulnerability where JNDI features do not protect against attacker-controlled JNDI-related endpoints, allowing for remote code execution. |
| CVE-2017-5645 |
critical |
9.8 |
9.8 |
|
|
|
9y ago |
Deserialization of Untrusted Data in Log4j |
| CVE-2021-45046 |
unknown |
— |
2.5 |
|
|
|
5y ago |
Apache Log4j2 contains a deserialization of untrusted data vulnerability due to the incomplete fix of CVE-2021-44228, where the Thread Context Lookup Pattern is vulnerable to remote code execution in… |
| CVE-2026-34480 |
unknown |
— |
— |
|
|
|
2mo ago |
Apache Log4j Core's XmlLayout https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout , in versions up to and including 2.25.3, fails to sanitize characters forbidden by the XML 1.0 spec… |
| CVE-2026-34478 |
unknown |
— |
— |
|
|
|
2mo ago |
Apache Log4j Core: log injection in `Rfc5424Layout` due to silent configuration incompatibility |
| CVE-2025-68161 |
unknown |
— |
— |
|
|
|
6mo ago |
Apache Log4j does not verify the TLS hostname in its Socket Appender |
| CVE-2023-26464 |
unknown |
— |
— |
|
|
|
3y ago |
Apache Log4j 1.x (EOL) allows Denial of Service (DoS) |
