log4net

NuGet3 known CVEs affecting this package

Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.

CVEs affecting log4netpage 1 of 1

CVE-2006-0743NONECVSS 0.0EG 0.0✓ Fixed in 1.2.10
2006-03-09
Format string vulnerability in LocalSyslogAppender in Apache log4net 1.2.9 might allow remote attackers to cause a denial of service (memory corruption and termination) via unknown vectors.
CVE-2018-1285CRITICALCVSS 9.8EG 9.8✓ Fixed in 2.0.10
2020-05-11
vulnerable: 1.2.10 ... 2.0.9 (12 versions)
Apache log4net versions before 2.0.10 do not disable XML external entities when parsing log4net configuration files. This allows for XXE-based attacks in applications that accept attacker-controlled log4net configuration files.
CVE-2026-40021MEDIUMCVSS 5.3EG 5.3✓ Fixed in 3.3.0
2026-04-10
vulnerable: 1.2.10 ... 3.2.0 (27 versions)
Apache Log4net's XmlLayout https://logging.apache.org/log4net/manual/configuration/layouts.html#layout-list and XmlLayoutSchemaLog4J https://logging.apache.org/log4net/manual/configuration/layouts.html#layout-list , in versions before 3…

Check whether log4net is used in your infrastructure

EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for log4net CVEs against the assets you own.

Start Free Scan →