{"timestamp":"2026-06-24T12:24:18.335394Z","id":"CVE-2026-13006","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}

ACE vulnerability in conditional configuration file processing  by QOS.CH logback-core up to and including version 1.5.34 in Java applications, allows an attacker to execute arbitrary code circumventing existing protections against CVE-2025-11226 by compromising an existing logback configuration file or by injecting an environment variable before program execution.



A successful attack requires the presence of Janino library to be present on the user's class path. In addition, the attacker must  have write access to a 
configuration file. Alternatively, the attacker could inject a malicious 
environment variable pointing to a malicious configuration file. In both 
cases, the attack requires existing privilege.

AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:N/R:X/V:X/RE:M/U:Green

CWE-20

https://logback.qos.ch/news.html#1.5.35

[{"vendor":"QOS.CH Sarl","product":"Logback-core","defaultStatus":"unaffected","modules":["logback-core"],"platforms":["Java"],"versions":[{"version":"0.9.20","lessThanOrEqual":"1.5.134","versionType":"maven","status":"affected"},{"version":"1.5.35","versionType":"maven","status":"unaffected"}]}]