CVE Watchtower


← Back to CVE List

CVE-2026-34481NVD

Vulnerability Summary

Apache Log4j's JsonTemplateLayout https://logging.apache.org/log4j/2.x/manual/json-template-layout.html , in versions up to and including 2.25.3, produces invalid JSON output when log events contain non-finite floating-point values (NaN, Infinity, or -Infinity), which are prohibited by RFC 8259. This may cause downstream log processing systems to reject or fail to index affected records.

An attacker can exploit this issue only if both of the following conditions are met:

* The application uses JsonTemplateLayout.
* The application logs a MapMessage, or logs an object directly (e.g., via Logger.info(Object), which wraps it in an ObjectMessage), where the message contains an attacker-controlled floating-point value.


Users are advised to upgrade to Apache Log4j JSON Template Layout 2.25.4, which corrects this issue.

Note: The fix released in version 2.25.4 did not cover all affected code paths. CVE-2026-49844 was assigned to the remaining issue, which concerns the MapMessage.asJson() serialization in Apache Log4j API and is fixed in versions 2.25.5 and 2.26.1.
Severity Level
MEDIUM(6.3)
Published Date
Apr 10, 2026
Last Modified
Jul 11, 2026
Exploitation Status
No confirmed exploitation yet
EPSS Score (30-Day)
0.56%Probability
Root Weakness (CWE)
N/A
CVSS v4.0 Base Metrics