CVE-2026-34480: Medium-Severity Log4j Vulnerability Detected in Apache Log4j 2.11.2

A newly identified medium-severity vulnerability, CVE-2026-34480, has been detected in a widely used Apache Log4j component. The flaw is present in the `log4j-core-2.11.2.jar` library, a core part of the Apache Log4j logging framework. This specific vulnerable instance was found within a project's dependency tree, introduced via the `solr-velocity-8.3.1.jar` library. The detection occurred in the project's `master` branch, indicating the vulnerable code is present in the primary line of development and was confirmed in a specific commit (bada63441522c15b923cde8a080ad10d787106e1).

The vulnerability's presence in Log4j 2.11.2 raises immediate security concerns, given the framework's near-ubiquitous use in Java applications for logging. While the exact technical details of CVE-2026-34480 are not fully disclosed in this alert, its classification as a medium-severity issue suggests a risk that could lead to information disclosure, denial of service, or limited remote code execution under specific conditions. The path to the vulnerable JAR file is clearly traced to a local Maven repository, confirming its active use within the build environment.

This discovery places pressure on development teams and organizations relying on the affected Solr and Log4j versions. It necessitates urgent scrutiny of dependency graphs to identify all instances of Log4j 2.11.2. The finding signals that, despite heightened awareness from previous Log4j crises like Log4Shell, legacy and transitive dependencies continue to introduce latent risks. Organizations must now assess their exposure, prioritize patching or upgrading to a secure version of Log4j, and review the security posture of any application bundling the `solr-velocity-8.3.1.jar` library.