Add CVE-2026-49844 and update CVE-2026-34481#40
Merged
Conversation
CVE-2026-49844 covers the `MapMessage.asJson()` code path in Log4j API that the CVE-2026-34481 fix in JSON Template Layout 2.25.4 did not reach. It affects `log4j-api` `[2.13.1, 2.25.5)`, `[2.26.0, 2.26.1)` and `[3.0.0-alpha1, 3.0.0-beta2]`, and is fixed in 2.25.5 and 2.26.1. CVE-2026-34481 is amended to note that an `ObjectMessage`, e.g. one produced by `Logger.info(Object)`, is also affected, and to point at the follow-up CVE. Add a `log4j-api` dummy component to the VDR, bump the BOM version and refresh the affected `updated` elements. Assisted-By: Claude Opus 4.8 (1M context) <[email protected]>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the Logging Services vulnerability disclosures by adding a new CVE entry for an uncovered Log4j API JSON serialization code path, and by amending the prior CVE to reference the follow-up issue and impacted message types.
Changes:
- Added CVE-2026-49844 to both the CycloneDX VDR and the Antora vulnerabilities page, including affected/fixed version ranges.
- Updated CVE-2026-34481 text to clarify
ObjectMessageimpact and to point to CVE-2026-49844. - Bumped the VDR BOM version and refreshed timestamps/
updatedelements to reflect the changes.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| src/site/static/cyclonedx/vdr.xml | Bumps VDR version/timestamp, adds a dummy log4j-api component, adds CVE-2026-49844, and amends CVE-2026-34481. |
| src/site/antora/modules/ROOT/pages/_vulnerabilities.adoc | Adds a new CVE-2026-49844 section and updates CVE-2026-34481 description/remediation to reference the follow-up CVE. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
CVE-2026-49844 covers the
MapMessage.asJson()code path in Log4j API that the CVE-2026-34481 fix in JSON Template Layout 2.25.4 did not reach. It affectslog4j-api[2.13.1, 2.25.5),[2.26.0, 2.26.1)and[3.0.0-alpha1, 3.0.0-beta2], and is fixed in 2.25.5 and 2.26.1.CVE-2026-34481 is amended to note that an
ObjectMessage, e.g. one produced byLogger.info(Object), is also affected, and to point at the follow-up CVE.Add a
log4j-apidummy component to the VDR, bump the BOM version and refresh the affectedupdatedelements.Assisted-By: Claude Opus 4.8 (1M context) [email protected]