ByteOS Network

NVD Vulnerability Details :

CVE-2026-9828

Received

Source-vulnerability@ncsc.ch

Published At-28 May, 2026 | 14:16

Updated At-28 May, 2026 | 14:16

Deserialization of untrusted data vulnerability in QOS.CH Sarl logback logback-core (HardenedObjectInputStream (logback-core) modules) allows Object Injection albeit heavily restricted. More precisely, an attacker able to influence serialized data sent to SimpleSocketServer or SimpleSSLSocketServer can instantiate objects from classes in the java.lang and java.util packages that are not explicitly blocked. Although deserialization is heavily restricted by HardenedObjectInputStream and no practical way to achieve remote code execution or significant privilege escalation has been identified, this issue constitutes a bypass of the intended security restrictions. This issue affects logback: through 1.5.32 inclusive.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	4.0	1.2	LOW	CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:L/U:Green

Type: Secondary

Version: 4.0

Base score: 1.2

Base severity: LOW

Vector:

CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:L/U:Green

Weaknesses

CWE ID	Type	Source
CWE-502	Secondary	vulnerability@ncsc.ch

CWE ID: CWE-502

Type: Secondary

Source: vulnerability@ncsc.ch

References

Hyperlink	Source	Resource
https://logback.qos.ch/news.html#1.5.33	vulnerability@ncsc.ch	N/A

Hyperlink: https://logback.qos.ch/news.html#1.5.33

Source: vulnerability@ncsc.ch

Resource: N/A

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History