Apache Log4cxx XMLLayout XSS: Unsanitized Characters (pre1.7.0)
CVE-2026-40023 Published on April 10, 2026
Apache Log4cxx, Apache Log4cxx (Conan), Apache Log4cxx (Brew): Silent log event loss in XMLLayout due to unescaped XML 1.0 forbidden characters
Apache Log4cxx's XMLLayout https://logging.apache.org/log4cxx/1.7.0/classlog4cxx_1_1xml_1_1XMLLayout.html , in versions before 1.7.0, fails to sanitize characters forbidden by the XML 1.0 specification https://www.w3.org/TR/xml/#charsets in log messages, NDC, and MDC property keys and values, producing invalid XML output. Conforming XML parsers must reject such documents with a fatal error, which may cause downstream log processing systems to drop or fail to index affected records.
An attacker who can influence logged data can exploit this to suppress individual log records, impairing audit trails and detection of malicious activity.
Users are advised to upgrade to Apache Log4cxx 1.7.0, which fixes this issue.
Timeline
Vulnerability reported by Olawale Titiloye
Fix shared publicly by Stephen Webb as pull request #609 1 day later.
Log4cxx 1.7.0 released 19 days later.
Weakness Type
What is an Output Sanitization Vulnerability?
The software prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
CVE-2026-40023 has been classified to as an Output Sanitization vulnerability or weakness.
Products Associated with CVE-2026-40023
Want to know whenever a new CVE is published for Apache Log4cxx? stack.watch will email you.
Affected Versions
Apache Software Foundation Apache Log4cxx:- Before 1.7.0 is affected.
- Before 1.7.0 is affected.
- Before 1.7.0 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.