CVE-2026-1225 LOW

CVE-2026-1225: Malicious logback.xml configuration file allows instantiation of arbitrary classes

Vendor Qos.ch Sarl
Product Logback-core
Weakness CWE-20 · Input validation
Published January 22, 2026
Last update January 22, 2026
View on NVD All CVEs

CVSS base score

1.8/10
Attack vector Local
Attack complexity High
Privileges required High
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/S:N/AU:N/RE:M/U:Green

What the vulnerability does

01Description

ACE vulnerability in configuration file processing by QOS.CH logback-core up to and including version 1.5.24 in Java applications, allows an attacker to instantiate classes already present on the class path by compromising an existing logback configuration file. The instantiation of a potentially malicious Java class requires that said class is present on the user's class-path. In addition, the attacker must have write access to a configuration file. However, after successful instantiation, the instance is very likely to be discarded with no further ado.

Key dates

02Disclosure timeline

January 22, 2026 CVE published
January 22, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2014-2360 OleumTech WIO Family Improper Input Validation CVE-2020-3345 Cisco Webex Meetings and Cisco Webex Meetings Server HTML Injection Vulnerability CVE-2020-3489 Cisco IOS XE Wireless Controller Software for the Catalyst 9000 Family CAPWAP Denial of Service Vulnerabilities CVE-2024-53827 Ericsson Packet Core Controller (PCC) - Improper Input Validation Vulnerability CVE-2024-38265 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability