CVE-2026-13006

UNKNOWN 0.0

Incomplete protection against CVE-2025-11226

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

ACE vulnerability in conditional configuration file processing by QOS.CH logback-core up to and including version 1.5.34 in Java applications, allows an attacker to execute arbitrary code circumventing existing protections against CVE-2025-11226 by compromising an existing logback configuration file or by injecting an environment variable before program execution. A successful attack requires the presence of Janino library to be present on the user's class path. In addition, the attacker must have write access to a configuration file. Alternatively, the attacker could inject a malicious environment variable pointing to a malicious configuration file. In both cases, the attack requires existing privilege.

CWE	CWE-20
Vendor	qos.ch sarl
Product	logback-core
Published	Jun 24, 2026

Stay Ahead of the Next One

Get instant alerts for qos.ch sarl logback-core

Be the first to know when new unknown vulnerabilities affecting qos.ch sarl logback-core are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

QOS.CH Sarl / Logback-core

0.9.20 ≤ 1.5.134

References

NVD ↗ CVE.org ↗ EPSS Data ↗

logback.qos.ch: https://logback.qos.ch/news.html#1.5.35

Credits

IcySun ([email protected])