The Log4J vulnerability has been dominating recent tech news. Consequently, we’ve received many request asking whether QGIS is affected. Therefore, we’d like to clarify:
QGIS is not a Java application. QGIS is built using C++ and Python. QGIS therefore does not use any Java component, including Log4j(ava).
It is technically possible that a plugin interfaces with Java applications. If you are aware of any potential vulnerabilities, please contact the plugin developers through the contact information provided in the plugin metadata.