CVE-2026-13006 - High Severity Vulnerability
Vulnerable Library - logback-core-1.4.14.jar
logback-core module
Library home page: http://www.qos.ch
Path to dependency file: /OPENAPI-REST-API/swagger-client/jaxrs-cxf/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.14/logback-core-1.4.14.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.14/logback-core-1.4.14.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.14/logback-core-1.4.14.jar
Dependency Hierarchy:
- logback-classic-1.4.14.jar (Root Library)
- ❌ logback-core-1.4.14.jar (Vulnerable Library)
Found in HEAD commit: 1f70e2feccb7006c8d32cc7d4fe62f5cf5e5c34d
Found in base branch: master
Vulnerability Details
ACE vulnerability in conditional configuration file processing by QOS.CH logback-core up to and including version 1.5.34 in Java applications, allows an attacker to execute arbitrary code circumventing existing protections against CVE-2025-11226 by compromising an existing logback configuration file or by injecting an environment variable before program execution.
A successful attack requires the presence of Janino library to be present on the user's class path. In addition, the attacker must have write access to a
configuration file. Alternatively, the attacker could inject a malicious
environment variable pointing to a malicious configuration file. In both
cases, the attack requires existing privilege.
Publish Date: 2026-06-24
URL: CVE-2026-13006
CVSS 3 Score Details (7.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-06-24
Fix Resolution: https://github.com/qos-ch/logback.git - v_1.5.35,ch.qos.logback:logback-core:1.5.35
Step up your Open Source Security Game with Mend here
CVE-2026-13006 - High Severity Vulnerability
logback-core module
Library home page: http://www.qos.ch
Path to dependency file: /OPENAPI-REST-API/swagger-client/jaxrs-cxf/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.14/logback-core-1.4.14.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.14/logback-core-1.4.14.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.14/logback-core-1.4.14.jar
Dependency Hierarchy:
Found in HEAD commit: 1f70e2feccb7006c8d32cc7d4fe62f5cf5e5c34d
Found in base branch: master
ACE vulnerability in conditional configuration file processing by QOS.CH logback-core up to and including version 1.5.34 in Java applications, allows an attacker to execute arbitrary code circumventing existing protections against CVE-2025-11226 by compromising an existing logback configuration file or by injecting an environment variable before program execution.
A successful attack requires the presence of Janino library to be present on the user's class path. In addition, the attacker must have write access to a
configuration file. Alternatively, the attacker could inject a malicious
environment variable pointing to a malicious configuration file. In both
cases, the attack requires existing privilege.
Publish Date: 2026-06-24
URL: CVE-2026-13006
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Type: Upgrade version
Release Date: 2026-06-24
Fix Resolution: https://github.com/qos-ch/logback.git - v_1.5.35,ch.qos.logback:logback-core:1.5.35
Step up your Open Source Security Game with Mend here