CVE-2026-10532— Logback deserialization whitelist bypass for Proxy objects
Possible ATT&CK Techniques 1AI
T1190 · Exploit Public-Facing ApplicationAffected Version Matrix 2
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| QOS.CH Sarl | logback | ≤ 1.5.33 | affected |
1.5.34 | unaffected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-10532
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Logback deserialization whitelist bypass for Proxy objects
Source: NVD (National Vulnerability Database)
Vulnerability Description
Deserialization of untrusted data vulnerability in QOS.CH Sarl logback logback-core (HardenedObjectInputStream (logback-core) modules) allows Object Injection, albeit heavily restricted. More precisely, an attacker able to influence serialized data sent to SimpleSocketServer or SimpleSSLSocketServer can instantiate Proxy objects. Although deserialization is heavily restricted by HardenedObjectInputStream and no practical way to achieve remote code execution or significant privilege escalation has been identified, this issue constitutes a bypass of the intended security restrictions. This issue affects logback: through 1.5.33 inclusive.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
可信数据的反序列化
Source: NVD (National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| QOS.CH Sarl | logback | 0 ~ 1.5.33 | - |
II. Public POCs for CVE-2026-10532
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-10532
请登录查看更多情报信息。
IV. Related Vulnerabilities
Same product: logback
- CVE-2026-9828
Logback deserialization whitelist bypass for java.lang and j - CVE-2024-12801
SaxEventRecorder vulnerable to Server-Side Request Forgery ( - CVE-2023-6481
Logback "receiver" DOS vulnerability CVE-2023-6378 incomplet - CVE-2023-6378
Logback "receiver" DOS vulnerability - CVE-2021-42550
RCE from attacker with configuration edit priviledges throug
Same vendor: QOS.CH Sarl
- CVE-2026-9828
Logback deserialization whitelist bypass for java.lang and j - CVE-2026-1225
Malicious logback.xml configuration file allows instantiatio - CVE-2025-11226
Conditional processing of logback.xml configuration file, in - CVE-2024-12801
SaxEventRecorder vulnerable to Server-Side Request Forgery ( - CVE-2024-12798
JaninoEventEvaluator vulnerability
Same weakness: CWE-502
- CVE-2026-9330
IBM WebSphere Application Server is affected by remote code - CVE-2026-9319
IBM WebSphere Application Server is affected by a remote cod - CVE-2026-49121
AI Tensor Engine for ROCm (AITER) 0.1.14 Unauthenticated RCE - CVE-2026-42359
Apache Airflow: Authenticated RCE via XCom PATCH endpoint — - CVE-2026-45360
Apache Airflow: Arbitrary import in custom deadline-referenc
V. Comments for CVE-2026-10532
No comments yet