Remote code execution exists in log4j where untrusted input is logged: https://github.com/apache/logging-log4j2/pull/608 https://github.com/tangxiaofeng7/apache-log4j-poc Fix is in 2.15.0.