Arbitrary Code Injection Affecting jul-to-slf4j package, versions *


Severity

Recommended
0.0
medium
0
10

Based on CentOS security rating.

Threat Intelligence

EPSS
0.12% (3rd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-CENTOS8-JULTOSLF4J-17530613
  • published26 Jun 2026
  • disclosed24 Jun 2026

Introduced: 24 Jun 2026

NewCVE-2026-13006  (opens in a new tab)
CWE-94  (opens in a new tab)

How to fix?

There is no fixed version for Centos:8 jul-to-slf4j.

NVD Description

Note: Versions mentioned in the description apply only to the upstream jul-to-slf4j package and not the jul-to-slf4j package as distributed by Centos. See How to fix? for Centos:8 relevant fixed versions and status.

ACE vulnerability in conditional configuration file processing by QOS.CH logback-core up to and including version 1.5.34 in Java applications, allows an attacker to execute arbitrary code circumventing existing protections against CVE-2025-11226 by compromising an existing logback configuration file or by injecting an environment variable before program execution.

A successful attack requires the presence of Janino library to be present on the user's class path. In addition, the attacker must  have write access to a configuration file. Alternatively, the attacker could inject a malicious environment variable pointing to a malicious configuration file. In both cases, the attack requires existing privilege.

CVSS Base Scores

version 3.1