Improper Encoding or Escaping of Output Affecting logstash-9.2-with-output-opensearch package, versions *
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-MINIMOSLATEST-LOGSTASH92WITHOUTPUTOPENSEARCH-16327131
- published1 May 2026
- disclosed10 Apr 2026
Introduced: 10 Apr 2026
CVE-2026-34479 (opens in a new tab)How to fix?
There is no fixed version for Minimos:latest logstash-9.2-with-output-opensearch.
NVD Description
Note: Versions mentioned in the description apply only to the upstream logstash-9.2-with-output-opensearch package and not the logstash-9.2-with-output-opensearch package as distributed by Minimos.
See How to fix? for Minimos:latest relevant fixed versions and status.
The Log4j1XmlLayout from the Apache Log4j 1-to-Log4j 2 bridge fails to escape characters forbidden by the XML 1.0 standard, producing malformed XML output. Conforming XML parsers are required to reject documents containing such characters with a fatal error, which may cause downstream log processing systems to drop or fail to index affected records.
Two groups of users are affected:
- Those using Log4j1XmlLayout directly in a Log4j Core 2 configuration file.
- Those using the Log4j 1 configuration compatibility layer with org.apache.log4j.xml.XMLLayout specified as the layout class.
Users are advised to upgrade to Apache Log4j 1-to-Log4j 2 bridge version 2.25.4, which corrects this issue.
Note: The Apache Log4j 1-to-Log4j 2 bridge is deprecated and will not be present in Log4j 3. Users are encouraged to consult the Log4j 1 to Log4j 2 migration guide https://logging.apache.org/log4j/2.x/migrate-from-log4j1.html , and specifically the section on eliminating reliance on the bridge.
References
- https://www.cve.org/CVERecord?id=CVE-2026-34479
- https://github.com/advisories/GHSA-h383-gmxw-35v2
- https://osv.dev/vulnerability/MINI-cj25-w84h-9f6g
- https://osv.dev/vulnerability/CVE-2026-34479
- https://github.com/apache/logging-log4j2/pull/4078
- https://lists.apache.org/thread/gd0hp6mj17rn3kj279vgy4p7kd4zz5on
- https://logging.apache.org/cyclonedx/vdr.xml
- https://logging.apache.org/log4j/2.x/migrate-from-log4j1.html
- https://logging.apache.org/security.html#CVE-2026-34479
- http://www.openwall.com/lists/oss-security/2026/04/10/8