| CVE-2021-44228 |
critical |
— |
10.0 |
|
|
|
5y ago |
Apache Log4j2 contains a vulnerability where JNDI features do not protect against attacker-controlled JNDI-related endpoints, allowing for remote code execution. |
| CVE-2017-5645 |
critical |
9.8 |
9.8 |
|
|
|
9y ago |
Deserialization of Untrusted Data in Log4j |
| CVE-2026-34477 |
medium |
5.9 |
5.9 |
|
|
|
2mo ago |
Apache Log4j Core: `verifyHostName` attribute silently ignored in TLS configuration |
| CVE-2021-45105 |
medium |
5.9 |
5.9 |
|
|
|
5y ago |
Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thre… |
| CVE-2021-45046 |
unknown |
— |
2.5 |
|
|
|
5y ago |
Apache Log4j2 contains a deserialization of untrusted data vulnerability due to the incomplete fix of CVE-2021-44228, where the Thread Context Lookup Pattern is vulnerable to remote code execution in… |
| CVE-2026-34480 |
unknown |
— |
— |
|
|
|
2mo ago |
Apache Log4j Core's XmlLayout https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout , in versions up to and including 2.25.3, fails to sanitize characters forbidden by the XML 1.0 spec… |
| CVE-2026-34478 |
unknown |
— |
— |
|
|
|
2mo ago |
Apache Log4j Core: log injection in `Rfc5424Layout` due to silent configuration incompatibility |
| CVE-2025-68161 |
unknown |
— |
— |
|
|
|
5mo ago |
Apache Log4j does not verify the TLS hostname in its Socket Appender |
| CVE-2023-26464 |
unknown |
— |
— |
|
|
|
3y ago |
Apache Log4j 1.x (EOL) allows Denial of Service (DoS) |
| CVE-2021-44832 |
unknown |
— |
— |
|
|
|
5y ago |
Improper Input Validation and Injection in Apache Log4j2 |
| CVE-2020-9488 |
unknown |
— |
— |
|
|
|
6y ago |
Improper validation of certificate with host mismatch in Apache Log4j SMTP appender |