CVE-2026-13006 | ACE vulnerability in conditional configuration file processi… | CVSS 7.0 HIGH

Description

ACE vulnerability in conditional configuration file processing by QOS.CH logback-core up to and including version 1.5.34 in Java applications, allows an attacker to execute arbitrary code circumventing existing protections against CVE-2025-11226 by compromising an existing logback configuration file or by injecting an environment variable before program execution. A successful attack requires the presence of Janino library to be present on the user's class path. In addition, the attacker must have write access to a configuration file. Alternatively, the attacker could inject a malicious environment variable pointing to a malicious configuration file. In both cases, the attack requires existing privilege.

Metadata

CVE ID: CVE-2026-13006
State: PUBLISHED
Assigner: NCSC.ch
Reserved: 2026-06-23 14:31 UTC
Published: 2026-06-24 05:41 UTC
Last updated: 2026-06-24 12:24 UTC
Primary CWE: CWE-20
CWE-20 Improper Input Validation
Vendor / Product: QOS.CH Sarl / Logback-core
Sources: cve.org · NVD

Severity & Metrics

7.0 HIGH CVSS 4.0

CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N/S:P/AU:N/RE:M/U:Green

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
QOS.CH Sarl	Logback-core	Java	0.9.20 ≤ 1.5.134, 1.5.35

Weakness (CWE)

CWE	Source	Description
CWE-20	cna	CWE-20 Improper Input Validation

CVSS scores (1)

Score	Severity	Version	Source	Vector
7.0	HIGH	4.0	cna	CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N/S:P/AU:N/RE:M/U:Green

References (1)

https://logback.qos.ch/news.html#1.5.35