Search

Find a vulnerability

Search criteria

    8 vulnerabilities found for Logback-core by QOS.CH Sarl

    CVE-2026-13006 (GCVE-0-2026-13006)

    Vulnerability from nvd – Published: 2026-06-24 05:41 – Updated: 2026-07-01 11:05
    VLAI
    Title
    Incomplete protection against CVE-2025-11226
    Summary
    ACE vulnerability in conditional configuration file processing by QOS.CH logback-core up to and including version 1.5.36 in Java applications, allows an attacker to execute arbitrary code circumventing existing protections against CVE-2025-11226 by compromising an existing logback configuration file or by injecting an environment variable before program execution. A successful attack requires the presence of Janino library to be present on the user's class path. In addition, the attacker must  have write access to a configuration file. Alternatively, the attacker could inject a malicious environment variable pointing to a malicious configuration file. In both cases, the attack requires existing privilege. Please note that in logack version 1.5.37 conditional processing using Janino was removed.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper Input Validation
    Assigner
    References
    Impacted products
    Vendor Product Version
    QOS.CH Sarl Logback-core Affected: 0.9.20 , ≤ 1.5.36 (maven)
    Unaffected: 1.5.37 (maven)
    Create a notification for this product.
    Date Public
    2026-06-23 11:09
    Credits
    IcySun (icysun@qq.com) "yulate" (yulate531@gmail.com.com)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-13006",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-24T12:24:18.335394Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-24T12:24:27.699Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "modules": [
                "logback-core"
              ],
              "platforms": [
                "Java"
              ],
              "product": "Logback-core",
              "vendor": "QOS.CH Sarl",
              "versions": [
                {
                  "lessThanOrEqual": "1.5.36",
                  "status": "affected",
                  "version": "0.9.20",
                  "versionType": "maven"
                },
                {
                  "status": "unaffected",
                  "version": "1.5.37",
                  "versionType": "maven"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "IcySun (icysun@qq.com)"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "\"yulate\" (yulate531@gmail.com.com)"
            }
          ],
          "datePublic": "2026-06-23T11:09:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003eACE vulnerability in conditional configuration file processing  by QOS.CH logback-core up to and including version 1.5.36 in Java applications, allows an attacker to execute arbitrary code circumventing existing protections against CVE-2025-11226 by\u0026nbsp;compromising an existing logback configuration file or by injecting an environment variable before program execution.\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003eA successful attack requires the presence of Janino library to be present on the user\u0027s class path. In addition, the attacker must\u0026nbsp; have write access to a \nconfiguration file. Alternatively, the attacker could inject a malicious \nenvironment variable pointing to a malicious configuration file. In both \ncases, the attack requires existing privilege.\u003cbr\u003e\u003cbr\u003e\u003cb\u003ePlease note that in logack version 1.5.37 conditional processing using Janino was removed.\u003c/b\u003e\u003c/div\u003e\u003cbr\u003e"
                }
              ],
              "value": "ACE vulnerability in conditional configuration file processing  by QOS.CH logback-core up to and including version 1.5.36 in Java applications, allows an attacker to execute arbitrary code circumventing existing protections against CVE-2025-11226 by\u00a0compromising an existing logback configuration file or by injecting an environment variable before program execution.\n\n\n\nA successful attack requires the presence of Janino library to be present on the user\u0027s class path. In addition, the attacker must\u00a0 have write access to a \nconfiguration file. Alternatively, the attacker could inject a malicious \nenvironment variable pointing to a malicious configuration file. In both \ncases, the attack requires existing privilege.\n\nPlease note that in logack version 1.5.37 conditional processing using Janino was removed."
            }
          ],
          "exploits": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "No known exploitation\u003cbr\u003e"
                }
              ],
              "value": "No known exploitation"
            }
          ],
          "impacts": [
            {
              "descriptions": [
                {
                  "lang": "en",
                  "value": "Arbitrary code execution on previously compromised system"
                }
              ]
            },
            {
              "capecId": "CAPEC-242",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-242 Code Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NO",
                "Recovery": "NOT_DEFINED",
                "Safety": "PRESENT",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "LOCAL",
                "baseScore": 7,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "HIGH",
                "providerUrgency": "GREEN",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N/S:P/AU:N/RE:M/U:Green",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "MODERATE"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20 Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-01T11:05:37.718Z",
            "orgId": "455daabc-a392-441d-aa46-37d35189897c",
            "shortName": "NCSC.ch"
          },
          "references": [
            {
              "url": "https://logback.qos.ch/news.html#1.5.37"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Remove Janino from the Java classpath or update to logack version 1.5.37 or later.\u0026nbsp;As of logback 1.5.20, the \u0026lt;condition\u0026gt;\u0026nbsp;element with a custom PropertyEvaluator offers a recommended alternative to conditionals requiring Janino.\u0026nbsp;"
                }
              ],
              "value": "Remove Janino from the Java classpath or update to logack version 1.5.37 or later.\u00a0As of logback 1.5.20, the \u003ccondition\u003e\u00a0element with a custom PropertyEvaluator offers a recommended alternative to conditionals requiring Janino."
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Incomplete protection against CVE-2025-11226",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Remove Janino from the Java classpath or update to logack version 1.5.37 or later.\u0026nbsp;As of logback 1.5.20, the \u0026lt;condition\u0026gt;\u0026nbsp;element with a custom PropertyEvaluator offers a recommended alternative to conditionals requiring Janino.\u0026nbsp;\u0026nbsp;"
                }
              ],
              "value": "Remove Janino from the Java classpath or update to logack version 1.5.37 or later.\u00a0As of logback 1.5.20, the \u003ccondition\u003e\u00a0element with a custom PropertyEvaluator offers a recommended alternative to conditionals requiring Janino."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "455daabc-a392-441d-aa46-37d35189897c",
        "assignerShortName": "NCSC.ch",
        "cveId": "CVE-2026-13006",
        "datePublished": "2026-06-24T05:41:32.197Z",
        "dateReserved": "2026-06-23T14:31:36.004Z",
        "dateUpdated": "2026-07-01T11:05:37.718Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-1225 (GCVE-0-2026-1225)

    Vulnerability from nvd – Published: 2026-01-22 09:24 – Updated: 2026-01-22 14:14
    VLAI
    Title
    Malicious logback.xml configuration file allows instantiation of arbitrary classes
    Summary
    ACE vulnerability in configuration file processing by QOS.CH logback-core up to and including version 1.5.24 in Java applications, allows an attacker to instantiate classes already present on the class path by compromising an existing logback configuration file. The instantiation of a potentially malicious Java class requires that said class is present on the user's class-path. In addition, the attacker must have write access to a configuration file. However, after successful instantiation, the instance is very likely to be discarded with no further ado.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper Input Validation
    Assigner
    References
    Impacted products
    Vendor Product Version
    QOS.CH Sarl Logback-core Affected: 0.9.20 , ≤ 1.5.24 (maven)
    Unaffected: 1.5.25
    Create a notification for this product.
    Credits
    https://www.code-intelligence.com/ Google Fuzz
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-1225",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-22T14:14:09.436515Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-22T14:14:17.842Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "modules": [
                "logback-core",
                "logback-classic"
              ],
              "platforms": [
                "Java"
              ],
              "product": "Logback-core",
              "vendor": "QOS.CH Sarl",
              "versions": [
                {
                  "lessThanOrEqual": "1.5.24",
                  "status": "affected",
                  "version": "0.9.20",
                  "versionType": "maven"
                },
                {
                  "status": "unaffected",
                  "version": "1.5.25"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "https://www.code-intelligence.com/"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Google Fuzz"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003eACE vulnerability in configuration file processing  by QOS.CH logback-core up to and including version 1.5.24 in Java applications, allows an attacker to instantiate classes already present on the class path by compromising an existing logback configuration file.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eThe instantiation of a potentially malicious Java class requires that said class is present on the user\u0027s class-path. In addition, the attacker must  have write access to a \nconfiguration file. However, after successful instantiation, the instance is very likely to be discarded with no further ado.\u003c/div\u003e"
                }
              ],
              "value": "ACE vulnerability in configuration file processing  by QOS.CH logback-core up to and including version 1.5.24 in Java applications, allows an attacker to instantiate classes already present on the class path by compromising an existing logback configuration file.\n\n\n\n\nThe instantiation of a potentially malicious Java class requires that said class is present on the user\u0027s class-path. In addition, the attacker must  have write access to a \nconfiguration file. However, after successful instantiation, the instance is very likely to be discarded with no further ado."
            }
          ],
          "exploits": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "No known exploitation\u003cbr\u003e"
                }
              ],
              "value": "No known exploitation"
            }
          ],
          "impacts": [
            {
              "descriptions": [
                {
                  "lang": "en",
                  "value": "Arbitrary code execution on previously compromised system"
                }
              ]
            },
            {
              "capecId": "CAPEC-242",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-242 Code Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NO",
                "Recovery": "NOT_DEFINED",
                "Safety": "NEGLIGIBLE",
                "attackComplexity": "HIGH",
                "attackRequirements": "PRESENT",
                "attackVector": "LOCAL",
                "baseScore": 1.8,
                "baseSeverity": "LOW",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "HIGH",
                "providerUrgency": "GREEN",
                "subAvailabilityImpact": "LOW",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/S:N/AU:N/RE:M/U:Green",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "MODERATE"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20 Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-01-22T12:10:39.562Z",
            "orgId": "455daabc-a392-441d-aa46-37d35189897c",
            "shortName": "NCSC.ch"
          },
          "references": [
            {
              "url": "https://logback.qos.ch/news.html#1.5.25"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update to logback version 1.5.25 or later. \u003cbr\u003e"
                }
              ],
              "value": "Update to logback version 1.5.25 or later."
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Malicious logback.xml configuration file allows instantiation of arbitrary classes",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "455daabc-a392-441d-aa46-37d35189897c",
        "assignerShortName": "NCSC.ch",
        "cveId": "CVE-2026-1225",
        "datePublished": "2026-01-22T09:24:14.634Z",
        "dateReserved": "2026-01-20T12:29:25.357Z",
        "dateUpdated": "2026-01-22T14:14:17.842Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-11226 (GCVE-0-2025-11226)

    Vulnerability from nvd – Published: 2025-10-01 07:26 – Updated: 2026-06-25 16:04
    VLAI
    Title
    Conditional processing of logback.xml configuration file, in conjuction with Spring Framework and Janino
    Summary
    ACE vulnerability in conditional configuration file processing by QOS.CH logback-core up to and including version 1.5.18 in Java applications, allows an attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment variable before program execution. A successful attack requires the presence of Janino library and Spring Framework to be present on the user's class path. In addition, the attacker must  have write access to a configuration file. Alternatively, the attacker could inject a malicious environment variable pointing to a malicious configuration file. In both cases, the attack requires existing privilege.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper Input Validation
    Assigner
    Impacted products
    Vendor Product Version
    QOS.CH Sarl Logback-core Affected: 0.9.20 , ≤ 1.5.18 (maven)
    Unaffected: 1.5.19
    Unaffected: 1.3.16
    Create a notification for this product.
    Credits
    Heihu577
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-11226",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-25T16:04:36.111603Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-25T16:04:42.152Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "modules": [
                "logback-core"
              ],
              "platforms": [
                "Java"
              ],
              "product": "Logback-core",
              "vendor": "QOS.CH Sarl",
              "versions": [
                {
                  "lessThanOrEqual": "1.5.18",
                  "status": "affected",
                  "version": "0.9.20",
                  "versionType": "maven"
                },
                {
                  "status": "unaffected",
                  "version": "1.5.19"
                },
                {
                  "status": "unaffected",
                  "version": "1.3.16"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:qos.ch_sarl:logback-core:*:*:java:*:*:*:*:*",
                      "versionEndIncluding": "1.5.18",
                      "versionStartIncluding": "0.9.20",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:qos.ch_sarl:logback-core:1.5.19:*:java:*:*:*:*:*",
                      "vulnerable": false
                    },
                    {
                      "criteria": "cpe:2.3:a:qos.ch_sarl:logback-core:1.3.16:*:java:*:*:*:*:*",
                      "vulnerable": false
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "OR"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Heihu577"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003eACE vulnerability in conditional configuration file processing  by QOS.CH logback-core up to and including version 1.5.18 in Java applications, allows an attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment variable before program execution.\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003eA successful attack requires the presence of Janino library and Spring Framework to be present on the user\u0027s class path. In addition, the attacker must\u0026nbsp; have write access to a \nconfiguration file. Alternatively, the attacker could inject a malicious \nenvironment variable pointing to a malicious configuration file. In both \ncases, the attack requires existing privilege.\n\n\n\u003c/div\u003e\u003cbr\u003e"
                }
              ],
              "value": "ACE vulnerability in conditional configuration file processing  by QOS.CH logback-core up to and including version 1.5.18 in Java applications, allows an attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment variable before program execution.\n\n\n\nA successful attack requires the presence of Janino library and Spring Framework to be present on the user\u0027s class path. In addition, the attacker must\u00a0 have write access to a \nconfiguration file. Alternatively, the attacker could inject a malicious \nenvironment variable pointing to a malicious configuration file. In both \ncases, the attack requires existing privilege."
            }
          ],
          "exploits": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "No known exploitation\u003cbr\u003e"
                }
              ],
              "value": "No known exploitation"
            }
          ],
          "impacts": [
            {
              "descriptions": [
                {
                  "lang": "en",
                  "value": "Arbitrary code execution on previously compromised system"
                }
              ]
            },
            {
              "capecId": "CAPEC-242",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-242 Code Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NO",
                "Recovery": "NOT_DEFINED",
                "Safety": "PRESENT",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "LOCAL",
                "baseScore": 7,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "HIGH",
                "providerUrgency": "GREEN",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N/S:P/AU:N/RE:M/U:Green",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "MODERATE"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20 Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-24T08:35:28.533Z",
            "orgId": "455daabc-a392-441d-aa46-37d35189897c",
            "shortName": "NCSC.ch"
          },
          "references": [
            {
              "url": "https://logback.qos.ch/news.html#1.5.19"
            },
            {
              "url": "https://logback.qos.ch/news.html#1.3.16"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Remove Janino from the Java classpath or update to logack version 1.5.19 or later. \u003cbr\u003e"
                }
              ],
              "value": "Remove Janino from the Java classpath or update to logack version 1.5.19 or later."
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Conditional processing of logback.xml configuration file, in conjuction with Spring Framework and Janino",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Remove Janino from the Java classpath or update to logack version 1.5.19 or later. \u003cbr\u003e"
                }
              ],
              "value": "Remove Janino from the Java classpath or update to logack version 1.5.19 or later."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "455daabc-a392-441d-aa46-37d35189897c",
        "assignerShortName": "NCSC.ch",
        "cveId": "CVE-2025-11226",
        "datePublished": "2025-10-01T07:26:12.567Z",
        "dateReserved": "2025-10-01T07:25:16.311Z",
        "dateUpdated": "2026-06-25T16:04:42.152Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-12798 (GCVE-0-2024-12798)

    Vulnerability from nvd – Published: 2024-12-19 15:14 – Updated: 2025-01-03 13:38
    VLAI
    Title
    JaninoEventEvaluator vulnerability
    Summary
    ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core upto including version 0.1 to 1.3.14 and 1.4.0 to 1.5.12 in Java applications allows attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment variable before program execution. Malicious logback configuration files can allow the attacker to execute arbitrary code using the JaninoEventEvaluator extension. A successful attack requires the user to have write access to a configuration file. Alternatively, the attacker could inject a malicious environment variable pointing to a malicious configuration file. In both cases, the attack requires existing privilege.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-917 - Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
    Assigner
    Impacted products
    Vendor Product Version
    QOS.CH Sarl Logback-core Affected: 0.1 , ≤ 1.3.14 (maven)
    Affected: 1.4.0 , ≤ 1.5.12 (maven)
    Unaffected: 1.3.15
    Unaffected: 1.5.13
    Create a notification for this product.
    Credits
    7asecurity
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-12798",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-12-20T20:17:18.406704Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-12-20T20:17:33.360Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "modules": [
                "logback-core"
              ],
              "product": "Logback-core",
              "vendor": "QOS.CH Sarl",
              "versions": [
                {
                  "lessThanOrEqual": "1.3.14",
                  "status": "affected",
                  "version": "0.1",
                  "versionType": "maven"
                },
                {
                  "lessThanOrEqual": "1.5.12",
                  "status": "affected",
                  "version": "1.4.0",
                  "versionType": "maven"
                },
                {
                  "status": "unaffected",
                  "version": "1.3.15"
                },
                {
                  "status": "unaffected",
                  "version": "1.5.13"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "7asecurity"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003eACE vulnerability in JaninoEventEvaluator  by QOS.CH logback-core\n      upto including version 0.1 to 1.3.14 and\u0026nbsp;1.4.0 to 1.5.12 in Java applications allows\n      attacker to execute arbitrary code by compromising an existing\n      logback configuration file or by injecting an environment variable\n      before program execution.\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eMalicious logback configuration files can allow the attacker to execute \narbitrary code using the JaninoEventEvaluator extension.\n\u003cbr\u003e\n\u003cbr\u003eA successful attack requires the user to have write access to a \nconfiguration file. Alternatively, the attacker could inject a malicious \nenvironment variable pointing to a malicious configuration file. In both \ncases, the attack requires existing privilege.\n\n\n\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e"
                }
              ],
              "value": "ACE vulnerability in JaninoEventEvaluator  by QOS.CH logback-core\n      upto including version 0.1 to 1.3.14 and\u00a01.4.0 to 1.5.12 in Java applications allows\n      attacker to execute arbitrary code by compromising an existing\n      logback configuration file or by injecting an environment variable\n      before program execution.\n\n\n\n\n\nMalicious logback configuration files can allow the attacker to execute \narbitrary code using the JaninoEventEvaluator extension.\n\n\n\nA successful attack requires the user to have write access to a \nconfiguration file. Alternatively, the attacker could inject a malicious \nenvironment variable pointing to a malicious configuration file. In both \ncases, the attack requires existing privilege."
            }
          ],
          "exploits": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "No known exploitation\u003cbr\u003e"
                }
              ],
              "value": "No known exploitation"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-242",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-242 Code Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "LOCAL",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "LOW",
                "providerUrgency": "CLEAR",
                "subAvailabilityImpact": "LOW",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "PASSIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L/RE:L/U:Clear",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "LOW"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-917",
                  "description": "CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement (\u0027Expression Language Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-01-03T13:38:58.152Z",
            "orgId": "455daabc-a392-441d-aa46-37d35189897c",
            "shortName": "NCSC.ch"
          },
          "references": [
            {
              "url": "https://logback.qos.ch/news.html#1.5.13"
            },
            {
              "url": "https://logback.qos.ch/news.html#1.3.15"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Remove Janino from the Java classpath. Alternatively, update to logback \nversion 1.5.13 or later. If you are using the 1.3.x series, update to \nlogback version 1.3.15 or later. Note that the 1.4.x series remains \nvulnerable."
                }
              ],
              "value": "Remove Janino from the Java classpath. Alternatively, update to logback \nversion 1.5.13 or later. If you are using the 1.3.x series, update to \nlogback version 1.3.15 or later. Note that the 1.4.x series remains \nvulnerable."
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "JaninoEventEvaluator\u00a0vulnerability",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Remove Janino from the Java classpath. Alternatively, update to logback \nversion 1.5.13 or later. If you are using the 1.3.x series, update to \nlogback version 1.3.15 or later. Note that the 1.4.x series remains \nvulnerable."
                }
              ],
              "value": "Remove Janino from the Java classpath. Alternatively, update to logback \nversion 1.5.13 or later. If you are using the 1.3.x series, update to \nlogback version 1.3.15 or later. Note that the 1.4.x series remains \nvulnerable."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "455daabc-a392-441d-aa46-37d35189897c",
        "assignerShortName": "NCSC.ch",
        "cveId": "CVE-2024-12798",
        "datePublished": "2024-12-19T15:14:21.598Z",
        "dateReserved": "2024-12-19T14:21:00.178Z",
        "dateUpdated": "2025-01-03T13:38:58.152Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2026-13006 (GCVE-0-2026-13006)

    Vulnerability from cvelistv5 – Published: 2026-06-24 05:41 – Updated: 2026-07-01 11:05
    VLAI
    Title
    Incomplete protection against CVE-2025-11226
    Summary
    ACE vulnerability in conditional configuration file processing by QOS.CH logback-core up to and including version 1.5.36 in Java applications, allows an attacker to execute arbitrary code circumventing existing protections against CVE-2025-11226 by compromising an existing logback configuration file or by injecting an environment variable before program execution. A successful attack requires the presence of Janino library to be present on the user's class path. In addition, the attacker must  have write access to a configuration file. Alternatively, the attacker could inject a malicious environment variable pointing to a malicious configuration file. In both cases, the attack requires existing privilege. Please note that in logack version 1.5.37 conditional processing using Janino was removed.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper Input Validation
    Assigner
    References
    Impacted products
    Vendor Product Version
    QOS.CH Sarl Logback-core Affected: 0.9.20 , ≤ 1.5.36 (maven)
    Unaffected: 1.5.37 (maven)
    Create a notification for this product.
    Date Public
    2026-06-23 11:09
    Credits
    IcySun (icysun@qq.com) "yulate" (yulate531@gmail.com.com)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-13006",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-24T12:24:18.335394Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-24T12:24:27.699Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "modules": [
                "logback-core"
              ],
              "platforms": [
                "Java"
              ],
              "product": "Logback-core",
              "vendor": "QOS.CH Sarl",
              "versions": [
                {
                  "lessThanOrEqual": "1.5.36",
                  "status": "affected",
                  "version": "0.9.20",
                  "versionType": "maven"
                },
                {
                  "status": "unaffected",
                  "version": "1.5.37",
                  "versionType": "maven"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "IcySun (icysun@qq.com)"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "\"yulate\" (yulate531@gmail.com.com)"
            }
          ],
          "datePublic": "2026-06-23T11:09:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003eACE vulnerability in conditional configuration file processing  by QOS.CH logback-core up to and including version 1.5.36 in Java applications, allows an attacker to execute arbitrary code circumventing existing protections against CVE-2025-11226 by\u0026nbsp;compromising an existing logback configuration file or by injecting an environment variable before program execution.\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003eA successful attack requires the presence of Janino library to be present on the user\u0027s class path. In addition, the attacker must\u0026nbsp; have write access to a \nconfiguration file. Alternatively, the attacker could inject a malicious \nenvironment variable pointing to a malicious configuration file. In both \ncases, the attack requires existing privilege.\u003cbr\u003e\u003cbr\u003e\u003cb\u003ePlease note that in logack version 1.5.37 conditional processing using Janino was removed.\u003c/b\u003e\u003c/div\u003e\u003cbr\u003e"
                }
              ],
              "value": "ACE vulnerability in conditional configuration file processing  by QOS.CH logback-core up to and including version 1.5.36 in Java applications, allows an attacker to execute arbitrary code circumventing existing protections against CVE-2025-11226 by\u00a0compromising an existing logback configuration file or by injecting an environment variable before program execution.\n\n\n\nA successful attack requires the presence of Janino library to be present on the user\u0027s class path. In addition, the attacker must\u00a0 have write access to a \nconfiguration file. Alternatively, the attacker could inject a malicious \nenvironment variable pointing to a malicious configuration file. In both \ncases, the attack requires existing privilege.\n\nPlease note that in logack version 1.5.37 conditional processing using Janino was removed."
            }
          ],
          "exploits": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "No known exploitation\u003cbr\u003e"
                }
              ],
              "value": "No known exploitation"
            }
          ],
          "impacts": [
            {
              "descriptions": [
                {
                  "lang": "en",
                  "value": "Arbitrary code execution on previously compromised system"
                }
              ]
            },
            {
              "capecId": "CAPEC-242",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-242 Code Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NO",
                "Recovery": "NOT_DEFINED",
                "Safety": "PRESENT",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "LOCAL",
                "baseScore": 7,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "HIGH",
                "providerUrgency": "GREEN",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N/S:P/AU:N/RE:M/U:Green",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "MODERATE"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20 Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-01T11:05:37.718Z",
            "orgId": "455daabc-a392-441d-aa46-37d35189897c",
            "shortName": "NCSC.ch"
          },
          "references": [
            {
              "url": "https://logback.qos.ch/news.html#1.5.37"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Remove Janino from the Java classpath or update to logack version 1.5.37 or later.\u0026nbsp;As of logback 1.5.20, the \u0026lt;condition\u0026gt;\u0026nbsp;element with a custom PropertyEvaluator offers a recommended alternative to conditionals requiring Janino.\u0026nbsp;"
                }
              ],
              "value": "Remove Janino from the Java classpath or update to logack version 1.5.37 or later.\u00a0As of logback 1.5.20, the \u003ccondition\u003e\u00a0element with a custom PropertyEvaluator offers a recommended alternative to conditionals requiring Janino."
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Incomplete protection against CVE-2025-11226",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Remove Janino from the Java classpath or update to logack version 1.5.37 or later.\u0026nbsp;As of logback 1.5.20, the \u0026lt;condition\u0026gt;\u0026nbsp;element with a custom PropertyEvaluator offers a recommended alternative to conditionals requiring Janino.\u0026nbsp;\u0026nbsp;"
                }
              ],
              "value": "Remove Janino from the Java classpath or update to logack version 1.5.37 or later.\u00a0As of logback 1.5.20, the \u003ccondition\u003e\u00a0element with a custom PropertyEvaluator offers a recommended alternative to conditionals requiring Janino."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "455daabc-a392-441d-aa46-37d35189897c",
        "assignerShortName": "NCSC.ch",
        "cveId": "CVE-2026-13006",
        "datePublished": "2026-06-24T05:41:32.197Z",
        "dateReserved": "2026-06-23T14:31:36.004Z",
        "dateUpdated": "2026-07-01T11:05:37.718Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-1225 (GCVE-0-2026-1225)

    Vulnerability from cvelistv5 – Published: 2026-01-22 09:24 – Updated: 2026-01-22 14:14
    VLAI
    Title
    Malicious logback.xml configuration file allows instantiation of arbitrary classes
    Summary
    ACE vulnerability in configuration file processing by QOS.CH logback-core up to and including version 1.5.24 in Java applications, allows an attacker to instantiate classes already present on the class path by compromising an existing logback configuration file. The instantiation of a potentially malicious Java class requires that said class is present on the user's class-path. In addition, the attacker must have write access to a configuration file. However, after successful instantiation, the instance is very likely to be discarded with no further ado.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper Input Validation
    Assigner
    References
    Impacted products
    Vendor Product Version
    QOS.CH Sarl Logback-core Affected: 0.9.20 , ≤ 1.5.24 (maven)
    Unaffected: 1.5.25
    Create a notification for this product.
    Credits
    https://www.code-intelligence.com/ Google Fuzz
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-1225",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-22T14:14:09.436515Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-22T14:14:17.842Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "modules": [
                "logback-core",
                "logback-classic"
              ],
              "platforms": [
                "Java"
              ],
              "product": "Logback-core",
              "vendor": "QOS.CH Sarl",
              "versions": [
                {
                  "lessThanOrEqual": "1.5.24",
                  "status": "affected",
                  "version": "0.9.20",
                  "versionType": "maven"
                },
                {
                  "status": "unaffected",
                  "version": "1.5.25"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "https://www.code-intelligence.com/"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Google Fuzz"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003eACE vulnerability in configuration file processing  by QOS.CH logback-core up to and including version 1.5.24 in Java applications, allows an attacker to instantiate classes already present on the class path by compromising an existing logback configuration file.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eThe instantiation of a potentially malicious Java class requires that said class is present on the user\u0027s class-path. In addition, the attacker must  have write access to a \nconfiguration file. However, after successful instantiation, the instance is very likely to be discarded with no further ado.\u003c/div\u003e"
                }
              ],
              "value": "ACE vulnerability in configuration file processing  by QOS.CH logback-core up to and including version 1.5.24 in Java applications, allows an attacker to instantiate classes already present on the class path by compromising an existing logback configuration file.\n\n\n\n\nThe instantiation of a potentially malicious Java class requires that said class is present on the user\u0027s class-path. In addition, the attacker must  have write access to a \nconfiguration file. However, after successful instantiation, the instance is very likely to be discarded with no further ado."
            }
          ],
          "exploits": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "No known exploitation\u003cbr\u003e"
                }
              ],
              "value": "No known exploitation"
            }
          ],
          "impacts": [
            {
              "descriptions": [
                {
                  "lang": "en",
                  "value": "Arbitrary code execution on previously compromised system"
                }
              ]
            },
            {
              "capecId": "CAPEC-242",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-242 Code Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NO",
                "Recovery": "NOT_DEFINED",
                "Safety": "NEGLIGIBLE",
                "attackComplexity": "HIGH",
                "attackRequirements": "PRESENT",
                "attackVector": "LOCAL",
                "baseScore": 1.8,
                "baseSeverity": "LOW",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "HIGH",
                "providerUrgency": "GREEN",
                "subAvailabilityImpact": "LOW",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/S:N/AU:N/RE:M/U:Green",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "MODERATE"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20 Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-01-22T12:10:39.562Z",
            "orgId": "455daabc-a392-441d-aa46-37d35189897c",
            "shortName": "NCSC.ch"
          },
          "references": [
            {
              "url": "https://logback.qos.ch/news.html#1.5.25"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update to logback version 1.5.25 or later. \u003cbr\u003e"
                }
              ],
              "value": "Update to logback version 1.5.25 or later."
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Malicious logback.xml configuration file allows instantiation of arbitrary classes",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "455daabc-a392-441d-aa46-37d35189897c",
        "assignerShortName": "NCSC.ch",
        "cveId": "CVE-2026-1225",
        "datePublished": "2026-01-22T09:24:14.634Z",
        "dateReserved": "2026-01-20T12:29:25.357Z",
        "dateUpdated": "2026-01-22T14:14:17.842Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-11226 (GCVE-0-2025-11226)

    Vulnerability from cvelistv5 – Published: 2025-10-01 07:26 – Updated: 2026-06-25 16:04
    VLAI
    Title
    Conditional processing of logback.xml configuration file, in conjuction with Spring Framework and Janino
    Summary
    ACE vulnerability in conditional configuration file processing by QOS.CH logback-core up to and including version 1.5.18 in Java applications, allows an attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment variable before program execution. A successful attack requires the presence of Janino library and Spring Framework to be present on the user's class path. In addition, the attacker must  have write access to a configuration file. Alternatively, the attacker could inject a malicious environment variable pointing to a malicious configuration file. In both cases, the attack requires existing privilege.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper Input Validation
    Assigner
    Impacted products
    Vendor Product Version
    QOS.CH Sarl Logback-core Affected: 0.9.20 , ≤ 1.5.18 (maven)
    Unaffected: 1.5.19
    Unaffected: 1.3.16
    Create a notification for this product.
    Credits
    Heihu577
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-11226",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-25T16:04:36.111603Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-25T16:04:42.152Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "modules": [
                "logback-core"
              ],
              "platforms": [
                "Java"
              ],
              "product": "Logback-core",
              "vendor": "QOS.CH Sarl",
              "versions": [
                {
                  "lessThanOrEqual": "1.5.18",
                  "status": "affected",
                  "version": "0.9.20",
                  "versionType": "maven"
                },
                {
                  "status": "unaffected",
                  "version": "1.5.19"
                },
                {
                  "status": "unaffected",
                  "version": "1.3.16"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:qos.ch_sarl:logback-core:*:*:java:*:*:*:*:*",
                      "versionEndIncluding": "1.5.18",
                      "versionStartIncluding": "0.9.20",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:qos.ch_sarl:logback-core:1.5.19:*:java:*:*:*:*:*",
                      "vulnerable": false
                    },
                    {
                      "criteria": "cpe:2.3:a:qos.ch_sarl:logback-core:1.3.16:*:java:*:*:*:*:*",
                      "vulnerable": false
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "OR"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Heihu577"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003eACE vulnerability in conditional configuration file processing  by QOS.CH logback-core up to and including version 1.5.18 in Java applications, allows an attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment variable before program execution.\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003eA successful attack requires the presence of Janino library and Spring Framework to be present on the user\u0027s class path. In addition, the attacker must\u0026nbsp; have write access to a \nconfiguration file. Alternatively, the attacker could inject a malicious \nenvironment variable pointing to a malicious configuration file. In both \ncases, the attack requires existing privilege.\n\n\n\u003c/div\u003e\u003cbr\u003e"
                }
              ],
              "value": "ACE vulnerability in conditional configuration file processing  by QOS.CH logback-core up to and including version 1.5.18 in Java applications, allows an attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment variable before program execution.\n\n\n\nA successful attack requires the presence of Janino library and Spring Framework to be present on the user\u0027s class path. In addition, the attacker must\u00a0 have write access to a \nconfiguration file. Alternatively, the attacker could inject a malicious \nenvironment variable pointing to a malicious configuration file. In both \ncases, the attack requires existing privilege."
            }
          ],
          "exploits": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "No known exploitation\u003cbr\u003e"
                }
              ],
              "value": "No known exploitation"
            }
          ],
          "impacts": [
            {
              "descriptions": [
                {
                  "lang": "en",
                  "value": "Arbitrary code execution on previously compromised system"
                }
              ]
            },
            {
              "capecId": "CAPEC-242",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-242 Code Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NO",
                "Recovery": "NOT_DEFINED",
                "Safety": "PRESENT",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "LOCAL",
                "baseScore": 7,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "HIGH",
                "providerUrgency": "GREEN",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N/S:P/AU:N/RE:M/U:Green",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "MODERATE"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20 Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-24T08:35:28.533Z",
            "orgId": "455daabc-a392-441d-aa46-37d35189897c",
            "shortName": "NCSC.ch"
          },
          "references": [
            {
              "url": "https://logback.qos.ch/news.html#1.5.19"
            },
            {
              "url": "https://logback.qos.ch/news.html#1.3.16"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Remove Janino from the Java classpath or update to logack version 1.5.19 or later. \u003cbr\u003e"
                }
              ],
              "value": "Remove Janino from the Java classpath or update to logack version 1.5.19 or later."
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Conditional processing of logback.xml configuration file, in conjuction with Spring Framework and Janino",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Remove Janino from the Java classpath or update to logack version 1.5.19 or later. \u003cbr\u003e"
                }
              ],
              "value": "Remove Janino from the Java classpath or update to logack version 1.5.19 or later."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "455daabc-a392-441d-aa46-37d35189897c",
        "assignerShortName": "NCSC.ch",
        "cveId": "CVE-2025-11226",
        "datePublished": "2025-10-01T07:26:12.567Z",
        "dateReserved": "2025-10-01T07:25:16.311Z",
        "dateUpdated": "2026-06-25T16:04:42.152Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-12798 (GCVE-0-2024-12798)

    Vulnerability from cvelistv5 – Published: 2024-12-19 15:14 – Updated: 2025-01-03 13:38
    VLAI
    Title
    JaninoEventEvaluator vulnerability
    Summary
    ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core upto including version 0.1 to 1.3.14 and 1.4.0 to 1.5.12 in Java applications allows attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment variable before program execution. Malicious logback configuration files can allow the attacker to execute arbitrary code using the JaninoEventEvaluator extension. A successful attack requires the user to have write access to a configuration file. Alternatively, the attacker could inject a malicious environment variable pointing to a malicious configuration file. In both cases, the attack requires existing privilege.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-917 - Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
    Assigner
    Impacted products
    Vendor Product Version
    QOS.CH Sarl Logback-core Affected: 0.1 , ≤ 1.3.14 (maven)
    Affected: 1.4.0 , ≤ 1.5.12 (maven)
    Unaffected: 1.3.15
    Unaffected: 1.5.13
    Create a notification for this product.
    Credits
    7asecurity
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-12798",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-12-20T20:17:18.406704Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-12-20T20:17:33.360Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "modules": [
                "logback-core"
              ],
              "product": "Logback-core",
              "vendor": "QOS.CH Sarl",
              "versions": [
                {
                  "lessThanOrEqual": "1.3.14",
                  "status": "affected",
                  "version": "0.1",
                  "versionType": "maven"
                },
                {
                  "lessThanOrEqual": "1.5.12",
                  "status": "affected",
                  "version": "1.4.0",
                  "versionType": "maven"
                },
                {
                  "status": "unaffected",
                  "version": "1.3.15"
                },
                {
                  "status": "unaffected",
                  "version": "1.5.13"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "7asecurity"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003eACE vulnerability in JaninoEventEvaluator  by QOS.CH logback-core\n      upto including version 0.1 to 1.3.14 and\u0026nbsp;1.4.0 to 1.5.12 in Java applications allows\n      attacker to execute arbitrary code by compromising an existing\n      logback configuration file or by injecting an environment variable\n      before program execution.\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eMalicious logback configuration files can allow the attacker to execute \narbitrary code using the JaninoEventEvaluator extension.\n\u003cbr\u003e\n\u003cbr\u003eA successful attack requires the user to have write access to a \nconfiguration file. Alternatively, the attacker could inject a malicious \nenvironment variable pointing to a malicious configuration file. In both \ncases, the attack requires existing privilege.\n\n\n\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e"
                }
              ],
              "value": "ACE vulnerability in JaninoEventEvaluator  by QOS.CH logback-core\n      upto including version 0.1 to 1.3.14 and\u00a01.4.0 to 1.5.12 in Java applications allows\n      attacker to execute arbitrary code by compromising an existing\n      logback configuration file or by injecting an environment variable\n      before program execution.\n\n\n\n\n\nMalicious logback configuration files can allow the attacker to execute \narbitrary code using the JaninoEventEvaluator extension.\n\n\n\nA successful attack requires the user to have write access to a \nconfiguration file. Alternatively, the attacker could inject a malicious \nenvironment variable pointing to a malicious configuration file. In both \ncases, the attack requires existing privilege."
            }
          ],
          "exploits": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "No known exploitation\u003cbr\u003e"
                }
              ],
              "value": "No known exploitation"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-242",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-242 Code Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "LOCAL",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "LOW",
                "providerUrgency": "CLEAR",
                "subAvailabilityImpact": "LOW",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "PASSIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L/RE:L/U:Clear",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "LOW"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-917",
                  "description": "CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement (\u0027Expression Language Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-01-03T13:38:58.152Z",
            "orgId": "455daabc-a392-441d-aa46-37d35189897c",
            "shortName": "NCSC.ch"
          },
          "references": [
            {
              "url": "https://logback.qos.ch/news.html#1.5.13"
            },
            {
              "url": "https://logback.qos.ch/news.html#1.3.15"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Remove Janino from the Java classpath. Alternatively, update to logback \nversion 1.5.13 or later. If you are using the 1.3.x series, update to \nlogback version 1.3.15 or later. Note that the 1.4.x series remains \nvulnerable."
                }
              ],
              "value": "Remove Janino from the Java classpath. Alternatively, update to logback \nversion 1.5.13 or later. If you are using the 1.3.x series, update to \nlogback version 1.3.15 or later. Note that the 1.4.x series remains \nvulnerable."
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "JaninoEventEvaluator\u00a0vulnerability",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Remove Janino from the Java classpath. Alternatively, update to logback \nversion 1.5.13 or later. If you are using the 1.3.x series, update to \nlogback version 1.3.15 or later. Note that the 1.4.x series remains \nvulnerable."
                }
              ],
              "value": "Remove Janino from the Java classpath. Alternatively, update to logback \nversion 1.5.13 or later. If you are using the 1.3.x series, update to \nlogback version 1.3.15 or later. Note that the 1.4.x series remains \nvulnerable."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "455daabc-a392-441d-aa46-37d35189897c",
        "assignerShortName": "NCSC.ch",
        "cveId": "CVE-2024-12798",
        "datePublished": "2024-12-19T15:14:21.598Z",
        "dateReserved": "2024-12-19T14:21:00.178Z",
        "dateUpdated": "2025-01-03T13:38:58.152Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }