So recently the world exploded with log4j drama. CVE-2021-4228 (Severity 10.0/10), CVE 2021-45105 (9.0) and CVE-2021-45105 again (7.5). Seems now that many eyes are on the old library lots of vulnerabilities are being found.
The first vulnerability was bad – really really bad. The only mitigating factor was praying you didn’t use the library in any public facing code, as then it was horrendously easy to exploit. A patch was rushed out. Only then they found that didn’t protect against all situations. So a second patch was rushed out. Only then they found that the second patch didn’t protect against all situations. So a third patch was rushed out.
The only semi saving grace is that those who discovered it disclosed it fairly responsibly to allow time for a patch to be ready on announcement. So bad guys were scrambling just as hard to figure a way to make use of it before the world patched. So any exploiting of it is likely at this time still rudimentary and rushed.