github
diff --git a/‎advisories/github-reviewed/2026/04/GHSA-445c-vh5m-36rj/GHSA-445c-vh5m-36rj.json‎
Lines changed: 101 additions & 0 deletions b/‎advisories/github-reviewed/2026/04/GHSA-445c-vh5m-36rj/GHSA-445c-vh5m-36rj.json‎
Lines changed: 101 additions & 0 deletions
diff --git a/‎advisories/github-reviewed/2026/04/GHSA-6hg6-v5c8-fphq/GHSA-6hg6-v5c8-fphq.json‎
Lines changed: 96 additions & 0 deletions b/‎advisories/github-reviewed/2026/04/GHSA-6hg6-v5c8-fphq/GHSA-6hg6-v5c8-fphq.json‎
Lines changed: 96 additions & 0 deletions
diff --git a/‎advisories/github-reviewed/2026/04/GHSA-h383-gmxw-35v2/GHSA-h383-gmxw-35v2.json‎
Lines changed: 100 additions & 0 deletions b/‎advisories/github-reviewed/2026/04/GHSA-h383-gmxw-35v2/GHSA-h383-gmxw-35v2.json‎
Lines changed: 100 additions & 0 deletions
diff --git a/‎advisories/unreviewed/2026/04/GHSA-445c-vh5m-36rj/GHSA-445c-vh5m-36rj.json‎
Lines changed: 0 additions & 56 deletions b/‎advisories/unreviewed/2026/04/GHSA-445c-vh5m-36rj/GHSA-445c-vh5m-36rj.json‎
Lines changed: 0 additions & 56 deletions
@@ -0,0 +1,101 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-445c-vh5m-36rj",
+  "modified": "2026-04-14T00:13:29Z",
+  "published": "2026-04-10T18:31:17Z",
+  "aliases": [
+    "CVE-2026-34478"
+  ],
+  "summary": "Apache Log4j Core: log injection in `Rfc5424Layout` due to silent configuration incompatibility",
+  "details": "Apache Log4j Core's [`Rfc5424Layout`](https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424Layout), in versions 2.21.0 through 2.25.3, is vulnerable to log injection via CRLF sequences due to undocumented renames of security-relevant configuration attributes.\n\nTwo distinct issues affect users of stream-based syslog services who configure Rfc5424Layout directly:\n\n  *  The `newLineEscape` attribute was silently renamed, causing newline escaping to stop working for users of TCP framing (RFC 6587), exposing them to CRLF injection in log output.\n  *  The `useTlsMessageFormat` attribute was silently renamed, causing users of TLS framing (RFC 5425) to be silently downgraded to unframed TCP (RFC 6587), without newline escaping.\n\nUsers of the `SyslogAppender` are not affected, as its configuration attributes were not modified.\n\nUsers are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.apache.logging.log4j:log4j-core"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "2.21.0"
+            },
+            {
+              "fixed": "2.25.4"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.apache.logging.log4j:log4j-core"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "3.0.0-beta1"
+            },
+            {
+              "last_affected": "3.0.0-beta3"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34478"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/apache/logging-log4j2/pull/4074"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/apache/logging-log4j2"
+    },
+    {
+      "type": "WEB",
+      "url": "https://lists.apache.org/thread/3k1clr2l6vkdnl4cbhjrnt1nyjvb5gwt"
+    },
+    {
+      "type": "WEB",
+      "url": "https://logging.apache.org/cyclonedx/vdr.xml"
+    },
+    {
+      "type": "WEB",
+      "url": "https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424Layout"
+    },
+    {
+      "type": "WEB",
+      "url": "https://logging.apache.org/security.html#CVE-2026-34478"
+    },
+    {
+      "type": "WEB",
+      "url": "http://www.openwall.com/lists/oss-security/2026/04/10/7"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-117",
+      "CWE-684"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-14T00:13:29Z",
+    "nvd_published_at": "2026-04-10T16:16:31Z"
+  }
+}
@@ -0,0 +1,96 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-6hg6-v5c8-fphq",
+  "modified": "2026-04-14T00:11:55Z",
+  "published": "2026-04-10T18:31:17Z",
+  "aliases": [
+    "CVE-2026-34477"
+  ],
+  "summary": "Apache Log4j Core: `verifyHostName` attribute silently ignored in TLS configuration",
+  "details": "The fix for  CVE-2025-68161 was incomplete: it addressed hostname verification only when enabled via the  [`log4j2.sslVerifyHostName`](https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName) system property, but not when configured through the [`verifyHostName`](https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName) attribute of the `<Ssl>` element.\n\nAlthough the `verifyHostName` configuration attribute was introduced in Log4j Core 2.12.0, it was silently ignored in all versions through 2.25.3, leaving TLS connections vulnerable to interception regardless of the configured value.\n\nA network-based attacker may be able to perform a man-in-the-middle attack when all of the following conditions are met:\n\n  *  An SMTP, Socket, or Syslog appender is in use.\n  *  TLS is configured via a nested <Ssl> element.\n  *  The attacker can present a certificate issued by a CA trusted by the appender's configured trust store, or by the default Java trust store if none is configured.\n\nThis issue does not affect users of the HTTP appender, which uses a separate [`verifyHostname`](https://logging.apache.org/log4j/2.x/manual/appenders/network.html#HttpAppender-attr-verifyHostName) attribute that was not subject to this bug and verifies host names by default.\n\nUsers are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.apache.logging.log4j:log4j-core"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "2.12.0"
+            },
+            {
+              "fixed": "2.25.4"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.apache.logging.log4j:log4j-core"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "3.0.0-alpha1"
+            },
+            {
+              "last_affected": "3.0.0-beta3"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34477"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/apache/logging-log4j2/pull/4075"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/apache/logging-log4j2"
+    },
+    {
+      "type": "WEB",
+      "url": "https://lists.apache.org/thread/lkx8cl46t2bvkcwfcb2pd43ygc097lq4"
+    },
+    {
+      "type": "WEB",
+      "url": "https://logging.apache.org/cyclonedx/vdr.xml"
+    },
+    {
+      "type": "WEB",
+      "url": "https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName"
+    },
+    {
+      "type": "WEB",
+      "url": "https://logging.apache.org/security.html#CVE-2026-34477"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-297"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-14T00:11:55Z",
+    "nvd_published_at": "2026-04-10T16:16:30Z"
+  }
+}
@@ -0,0 +1,100 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-h383-gmxw-35v2",
+  "modified": "2026-04-14T00:10:59Z",
+  "published": "2026-04-10T18:31:18Z",
+  "aliases": [
+    "CVE-2026-34479"
+  ],
+  "summary": "Apache Log4j 1 to Log4j 2 bridge: silent log event loss in Log4j1XmlLayout due to unescaped XML 1.0 forbidden characters",
+  "details": "The `Log4j1XmlLayout` from the Apache Log4j 1-to-Log4j 2 bridge fails to escape characters forbidden by the XML 1.0 standard, producing malformed XML output. Conforming XML parsers are required to reject documents containing such characters with a fatal error, which may cause downstream log processing systems to drop or fail to index affected records.\n\nTwo groups of users are affected:\n\n* Those using `Log4j1XmlLayout` directly in a Log4j Core 2 configuration file.\n* Those using the Log4j 1 configuration compatibility layer with `org.apache.log4j.xml.XMLLayout` specified as the layout class.\n\nUsers are advised to upgrade to Apache Log4j 1-to-Log4j 2 bridge version `2.25.4`, which corrects this issue.\n\n> [!NOTE]\n> The Apache Log4j 1-to-Log4j 2 bridge is deprecated and will not be present in Log4j 3. Users are encouraged to consult the\n> [Log4j 1 to Log4j 2 migration guide](https://logging.apache.org/log4j/2.x/migrate-from-log4j1.html), and specifically the section on eliminating reliance on the bridge.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.apache.logging.log4j:log4j-1.2-api"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "2.7"
+            },
+            {
+              "fixed": "2.25.4"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.apache.logging.log4j:log4j-1.2-api"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "3.0.0-beta1"
+            },
+            {
+              "last_affected": "3.0.0-beta2"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34479"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/apache/logging-log4j2/pull/4078"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/apache/logging-log4j2"
+    },
+    {
+      "type": "WEB",
+      "url": "https://lists.apache.org/thread/gd0hp6mj17rn3kj279vgy4p7kd4zz5on"
+    },
+    {
+      "type": "WEB",
+      "url": "https://logging.apache.org/cyclonedx/vdr.xml"
+    },
+    {
+      "type": "WEB",
+      "url": "https://logging.apache.org/log4j/2.x/migrate-from-log4j1.html"
+    },
+    {
+      "type": "WEB",
+      "url": "https://logging.apache.org/security.html#CVE-2026-34479"
+    },
+    {
+      "type": "WEB",
+      "url": "http://www.openwall.com/lists/oss-security/2026/04/10/8"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-116"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-14T00:10:59Z",
+    "nvd_published_at": "2026-04-10T16:16:31Z"
+  }
+}