Apache Log4j is a Java-based logging utility.

Apache Log4j

Wolfi is a community Linux OS designed for the container and cloud-native era; it is a Linux distribution based on Alpine.

Wolfi

Chainguard is a Linux distribution based on Alpine. It's the commercial version of the Wolfi distro.

Chainguard

Spring WebFlux is a non-blocking, reactive web framework for building scalable and highly concurrent web applications. It is a part of the Spring 5 framework and supports both Reactive Streams and Java 9+ Flow APIs. WebFlux can be used with popular reactive libraries such as Reactor and RxJava, enabling asynchronous request processing and efficient use of system resources.

Spring WebFlux

Spring Web MVC is a Java-based framework for building web applications. It follows the Model-View-Controller (MVC) architecture and simplifies web application development through its dependency injection, data binding, and flexible configuration features. Spring Web MVC is a part of the larger Spring Framework.

Spring Web MVC

Debian GNU/Linux is a Linux distribution composed of free and open-source software.

Linux Debian

Red Hat Enterprise Linux is a Linux distribution developed by Red Hat for the commercial market.

Linux Red Hat

Echo is a secure, minimal Linux OS built vulnerability-free. It is fully compatible across environments and continuously patched - making it a clean, dependable base layer for modern applications. Echo is used by organizations focused on security and reliability, including those with compliance or FIPS requirements.

Echo

Use of Java scripting engine enabled (e.g. JRuby, Jython) template views in Spring MVC and Spring WebFlux applications can result in disclosure of content from files outside the configured locations for script template views. This issue affects Spring Framework: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46.

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2026-24400	HIGH	8.2	Java	javapackages-tools:201801::maven-surefire	No	Yes	Jan 26, 2026
CVE-2025-68161	MEDIUM	6.3	Apache Solr	flink-2.2	No	Yes	Dec 18, 2025
CVE-2026-22737	MEDIUM	5.9	Apache Log4j	log4j-slf4j	No	Yes	Mar 20, 2026
CVE-2026-22735	LOW	2.6	Apache Log4j	pki-resteasy	No	Yes	Mar 20, 2026
CVE-2026-1225	LOW	1.8	Java	slf4j-manual	No	Yes	Jan 22, 2026

CVE-2026-22737:
Apache Log4j vulnerability analysis and mitigation

5.9

Related Apache Log4j vulnerabilities:

Benchmark your Cloud Security Posture

Additional Wiz resources

Cloud Vulnerability DB

Cloud Threat Landscape

PEACH

Ready to see Wiz in action?

CVE-2026-22737: Apache Log4j vulnerability analysis and mitigation