CVE-2026-13006 PUBLISHED

Incomplete protection against CVE-2025-11226

Assigner: NCSC.ch
Reserved: 23.06.2026 Published: 24.06.2026 Updated: 24.06.2026

ACE vulnerability in conditional configuration file processing by QOS.CH logback-core up to and including version 1.5.34 in Java applications, allows an attacker to execute arbitrary code circumventing existing protections against CVE-2025-11226 by compromising an existing logback configuration file or by injecting an environment variable before program execution.

A successful attack requires the presence of Janino library to be present on the user's class path. In addition, the attacker must have write access to a configuration file. Alternatively, the attacker could inject a malicious environment variable pointing to a malicious configuration file. In both cases, the attack requires existing privilege.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N/S:P/AU:N/RE:M/U:Green
CVSS Score: 7

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Local	Confidentiality	High	Confidentiality	Low
Attack Complexity	Low	Integrity	High	Integrity	Low
Attack Requirements	Present	Availability	None	Availability	None
Privileges Required	High
User Interaction	None

CVSS 4.0

Product Status

Vendor	QOS.CH Sarl
Product	Logback-core
Versions	Default: unaffected affected from 0.9.20 to 1.5.134 (incl.) Version 1.5.35 is unaffected

Exploits

No known exploitation

Workarounds

Remove Janino from the Java classpath or update to logack version 1.5.35 or later. As of logback 1.5.20, the <condition> element with a custom PropertyEvaluator offers a recommended alternative to conditionals requiring Janino.

Solutions

Credits

IcySun (icysun@qq.com) finder

References

https://logback.qos.ch/news.html#1.5.35

Problem Types

CWE-20 Improper Input Validation CWE

Impacts

Arbitrary code execution on previously compromised system
CAPEC-242 Code Injection