ppkarwasz opened a new pull request, #40: URL: https://github.com/apache/logging-site/pull/40
CVE-2026-49844 covers the `MapMessage.asJson()` code path in Log4j API that the CVE-2026-34481 fix in JSON Template Layout 2.25.4 did not reach. It affects `log4j-api` `[2.13.1, 2.25.5)`, `[2.26.0, 2.26.1)` and `[3.0.0-alpha1, 3.0.0-beta2]`, and is fixed in 2.25.5 and 2.26.1. CVE-2026-34481 is amended to note that an `ObjectMessage`, e.g. one produced by `Logger.info(Object)`, is also affected, and to point at the follow-up CVE. Add a `log4j-api` dummy component to the VDR, bump the BOM version and refresh the affected `updated` elements. Assisted-By: Claude Opus 4.8 (1M context) <[email protected]> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
