Hi,

The following vulnerabilities were published for logback.

CVE-2025-11226[0]:
| ACE vulnerability in conditional configuration file processing  by
| QOS.CH logback-core up to and including version 1.5.18 in Java
| applications, allows an attacker to execute arbitrary code by
| compromising an existing logback configuration file or by injecting
| an environment variable before program execution.    A successful
| attack requires the presence of Janino library and Spring Framework
| to be present on the user's class path. In addition, the attacker
| must  have write access to a  configuration file. Alternatively, the
| attacker could inject a malicious  environment variable pointing to
| a malicious configuration file. In both  cases, the attack requires
| existing privilege.


CVE-2026-13006[1]:
| ACE vulnerability in conditional configuration file processing  by
| QOS.CH logback-core up to and including version 1.5.35 in Java
| applications, allows an attacker to execute arbitrary code
| circumventing existing protections against CVE-2025-11226
| by compromising an existing logback configuration file or by
| injecting an environment variable before program execution.    A
| successful attack requires the presence of Janino library to be
| present on the user's class path. In addition, the attacker must 
| have write access to a  configuration file. Alternatively, the
| attacker could inject a malicious  environment variable pointing to
| a malicious configuration file. In both  cases, the attack requires
| existing privilege.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-11226
https://www.cve.org/CVERecord?id=CVE-2025-11226
[1] https://security-tracker.debian.org/tracker/CVE-2026-13006
https://www.cve.org/CVERecord?id=CVE-2026-13006

Regards,
Salvatore