{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22041", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-05T22:30:38.720Z", "datePublished": "2026-01-08T14:52:37.944Z", "dateUpdated": "2026-01-08T15:54:57.412Z"}, "containers": {"cna": {"title": "loggingredactor converts non-string types to string types in logs", "problemTypes": [{"descriptions": [{"cweId": "CWE-704", "lang": "en", "description": "CWE-704: Incorrect Type Conversion or Cast", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 2, "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P", "version": "4.0"}}], "references": [{"name": "https://github.com/armurox/loggingredactor/security/advisories/GHSA-rvjx-cfjh-5mc9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/armurox/loggingredactor/security/advisories/GHSA-rvjx-cfjh-5mc9"}, {"name": "https://github.com/armurox/loggingredactor/issues/7", "tags": ["x_refsource_MISC"], "url": "https://github.com/armurox/loggingredactor/issues/7"}, {"name": "https://github.com/armurox/loggingredactor/releases/tag/0.0.6", "tags": ["x_refsource_MISC"], "url": "https://github.com/armurox/loggingredactor/releases/tag/0.0.6"}], "affected": [{"vendor": "armurox", "product": "loggingredactor", "versions": [{"version": "< 0.0.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-08T14:52:37.944Z"}, "descriptions": [{"lang": "en", "value": "Logging Redactor is a Python library designed to redact sensitive data in logs based on regex patterns and / or dictionary keys. Prior to version 0.0.6, non-string types are converted into string types, leading to type errors in %d conversions. The problem has been patched in version 0.0.6. No known workarounds are available."}], "source": {"advisory": "GHSA-rvjx-cfjh-5mc9", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/armurox/loggingredactor/issues/7", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-08T15:50:55.740991Z", "id": "CVE-2026-22041", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-08T15:54:57.412Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22041", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-08T15:50:55.740991Z"}}}], "references": [{"url": "https://github.com/armurox/loggingredactor/issues/7", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-08T15:50:58.712Z"}}], "cna": {"title": "loggingredactor converts non-string types to string types in logs", "source": {"advisory": "GHSA-rvjx-cfjh-5mc9", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 2, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "armurox", "product": "loggingredactor", "versions": [{"status": "affected", "version": "< 0.0.6"}]}], "references": [{"url": "https://github.com/armurox/loggingredactor/security/advisories/GHSA-rvjx-cfjh-5mc9", "name": "https://github.com/armurox/loggingredactor/security/advisories/GHSA-rvjx-cfjh-5mc9", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/armurox/loggingredactor/issues/7", "name": "https://github.com/armurox/loggingredactor/issues/7", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/armurox/loggingredactor/releases/tag/0.0.6", "name": "https://github.com/armurox/loggingredactor/releases/tag/0.0.6", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Logging Redactor is a Python library designed to redact sensitive data in logs based on regex patterns and / or dictionary keys. Prior to version 0.0.6, non-string types are converted into string types, leading to type errors in %d conversions. The problem has been patched in version 0.0.6. No known workarounds are available."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-704", "description": "CWE-704: Incorrect Type Conversion or Cast"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-08T14:52:37.944Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22041", "state": "PUBLISHED", "dateUpdated": "2026-01-08T15:54:57.412Z", "dateReserved": "2026-01-05T22:30:38.720Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-08T14:52:37.944Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:armurox:logging_redactor:*:*:*:*:*:python:*:*", "matchCriteriaId": "A05F3F62-BA45-476E-9E5B-DB7E99A5C19F", "versionEndExcluding": "0.0.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Logging Redactor is a Python library designed to redact sensitive data in logs based on regex patterns and / or dictionary keys. Prior to version 0.0.6, non-string types are converted into string types, leading to type errors in %d conversions. The problem has been patched in version 0.0.6. No known workarounds are available."}], "id": "CVE-2026-22041", "lastModified": "2026-01-12T19:07:50.677", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.0, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-08T15:15:45.300", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Issue Tracking"], "url": "https://github.com/armurox/loggingredactor/issues/7"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/armurox/loggingredactor/releases/tag/0.0.6"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/armurox/loggingredactor/security/advisories/GHSA-rvjx-cfjh-5mc9"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Issue Tracking"], "url": "https://github.com/armurox/loggingredactor/issues/7"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-704"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T16:44:07.001147+00:00", "value": {"mitigation_remediation": ["Upgrade armurox LoggingRedactor to version 0.0.6 or newer, which includes the fixed type conversion handling.", "Examine all code that uses LoggingRedactor\u2019s logging methods and ensure that values supplied to percent\u2011style format strings are either already strings or safely converted, and avoid using %d or similar specifiers with non\u2011string data.", "Run regression or unit tests after the upgrade to confirm that log generation proceeds without type conversion errors and that redaction remains functional."], "summary": {"action": "Patch", "impact": "Logging type conversion error"}, "threat_synthesis": {"affected_systems": "Armurox LoggingRedactor is affected by all releases prior to version 0.0.6. Versions 0.0.6 and later include the patch.", "description_and_impact": "LoggingRedactor is a Python library that removes sensitive data from log entries. The bug causes non\u2011string values to be coerced into strings, which results in type conversion errors when percent\u2011style format specifiers like %d are used. These errors can break the logging flow, cause crashes, or corrupt log output. The flaw is a type conversion error (CWE\u2011704) and does not provide direct code execution or data disclosure.", "risk_and_exploitability": "The CVSS score of 2 classifies this as low severity. The EPSS value of less than 1% indicates an extremely low likelihood of exploitation. The vulnerability is not listed in CISA\u2019s KEV catalog. An attacker would need to execute code that calls LoggingRedactor\u2019s logging functions with non\u2011string values and integer format specifiers to trigger the fault. No public workarounds are known."}}}}, "created": "2026-04-18T16:45:05.231423+00:00", "updated": "2026-04-18T16:45:05.231435+00:00", "vendors": []}