CVE-2026-13006
Received Received - Intake
ACE Vulnerability in QOS.CH Logback-Core Java Library

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: Switzerland Government Common Vulnerability Program

Description
ACE vulnerability in conditional configuration file processing by QOS.CH logback-core up to and including version 1.5.34 in Java applications, allows an attacker to execute arbitrary code circumventing existing protections against CVE-2025-11226 by compromising an existing logback configuration file or by injecting an environment variable before program execution. A successful attack requires the presence of Janino library to be present on the user's class path. In addition, the attacker must  have write access to a configuration file. Alternatively, the attacker could inject a malicious environment variable pointing to a malicious configuration file. In both cases, the attack requires existing privilege.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-24
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-13006
EUVD
EUVD-2026-38691
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
qos.ch logback-core to 1.5.34 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an ACE (Arbitrary Code Execution) issue in the conditional configuration file processing of the QOS.CH logback-core library up to version 1.5.34 used in Java applications.

It allows an attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting a malicious environment variable before the program starts.

For the attack to succeed, the Janino library must be present on the user's class path, and the attacker must have write access to the configuration file or be able to inject a malicious environment variable.

The attack requires existing privileges, meaning the attacker must already have some level of access to the system.

Impact Analysis

This vulnerability can lead to arbitrary code execution within the affected Java application.

An attacker with existing privileges could exploit this to run malicious code, potentially compromising the system or application.

Because the attack requires write access to configuration files or environment variables, it could allow privilege escalation or unauthorized actions within the application context.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-13006. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart