Home > Vulnerability Database > CVE-2026-1225

Mend.io Vulnerability Database

CVE-2026-1225

Good to know:

Date: January 22, 2026

ACE vulnerability in configuration file processing by QOS.CH logback-core up to and including version 1.5.24 in Java applications, allows an attacker to instantiate classes already present on the class path by compromising an existing logback configuration file. The instantiation of a potentially malicious Java class requires that said class is present on the user's class-path. In addition, the attacker must have write access to a configuration file. However, after successful instantiation, the instance is very likely to be discarded with no further ado.

Severity Score

5.0

Related Resources (6)

Url: https://nvd.nist.gov/vuln/detail/CVE-2026-1225

Url: https://github.com/qos-ch/logback/commit/1f97ae1844b1be8486e4e9cade98d7123d3eded5

Url: https://logback.qos.ch/news.html#1.5.25

Url: https://github.com/qos-ch/logback

Url: https://github.com/qos-ch/logback/issues/997

Url: https://www.mend.io/vulnerability-database/CVE-2026-1225

Severity Score

5.0

Weakness Type (CWE)

Improper Input Validation

CWE-20

Top Fix

Upgrade Version

Upgrade to version ch.qos.logback:logback-core:1.5.25;https://github.com/qos-ch/logback.git - v_1.5.25

Learn More

CVSS v3.1

Base Score:	5.0
Attack Vector (AV):	LOCAL
Attack Complexity (AC):	HIGH
Privileges Required (PR):	HIGH
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

CVE-2026-1225

Good to know:

Date: January 22, 2026

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?