CVE Catalog

CVE-2026-13006

HighCVSS 7.0
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.12%

2th percentile - higher than 2% of all known CVEs

Summary

ACE vulnerability in logback-core up to version 1.5.36 allows arbitrary code execution by bypassing protections for CVE-2025-11226. The attack requires Janino library on the classpath and write access to a configuration file or injection of an environment variable.

Risk Assessment

The organization risks full application compromise if an attacker has privileges to modify configuration files or environment variables. Risk increases in shared-access environments.

Recommendation

Immediately upgrade logback-core to version 1.5.37 or later, which removes conditional processing with Janino. Restrict access to configuration files and environment variables.

Original NVD description (English source)

ACE vulnerability in conditional configuration file processing by QOS.CH logback-core up to and including version 1.5.36 in Java applications, allows an attacker to execute arbitrary code circumventing existing protections against CVE-2025-11226 by compromising an existing logback configuration file or by injecting an environment variable before program execution. A successful attack requires the presence of Janino library to be present on the user's class path. In addition, the attacker must  have write access to a configuration file. Alternatively, the attacker could inject a malicious environment variable pointing to a malicious configuration file. In both cases, the attack requires existing privilege. Please note that in logack version 1.5.37 conditional processing using Janino was removed.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS