Artifactory/JFrog Xray is flagging saspy (currently latest: 5.107.1) as affected by CVE-2026-34480 due to its bundled org.apache.logging.log4j:log4j-core dependency.
About the CVE
CVE-2026-34480 affects Apache Log4j Core's XmlLayout in versions up to and including 2.25.3. It fails to sanitize characters forbidden by the XML 1.0 specification, which can result in either malformed XML output or exceptions that drop log events entirely — effectively a denial of service for logging operations.
- Severity: Medium (CVSS 6.9)
- Fix: Upgrade
log4j-core to 2.25.4
- Published: April 10, 2026
Artifactory/JFrog Xray is flagging saspy (currently latest: 5.107.1) as affected by CVE-2026-34480 due to its bundled
org.apache.logging.log4j:log4j-coredependency.About the CVE
CVE-2026-34480 affects Apache Log4j Core's
XmlLayoutin versions up to and including 2.25.3. It fails to sanitize characters forbidden by the XML 1.0 specification, which can result in either malformed XML output or exceptions that drop log events entirely — effectively a denial of service for logging operations.log4j-coreto 2.25.4