SpringBoot CVE-2025-11226 - ch.qos.logback:logback-core@1.5.18 update to ---> 1.5.9

This issue has undergone the Sonatype Fast-Track process. For more information, please see the Sonatype Knowledge Base Guide.

Component Name: ch.qos.logback:logback-core Component Version: 1.5.18 Repository: maven

Instance ID: D223399FC1BFF045939AC651D50F78DE Primary Rule ID: CVE-2025-11226

CVSS Base Score: 5.9 CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:P/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L File Locations fortifyUpload/subModuleDependencies/logback-core-1.5.18.jar Standards and Best Practices OWASP 2021 A06:2021 – Vulnerable and Outdated Components PCI 4.0 6.3.3 – All system components are protected from known vulnerabilities by installing applicable security patches/updates CWE CWE-20

Next Non-Vulnerable Version 1.5.19

Greatest Non-Vulnerable Version 1.5.19

Links https://logback.qos.ch/news.html#1.5.19

Comment From: philwebb

We have an automatic dependency upgrade process that will pick up the latest release in due course.