The Log4Shell vulnerability has been given the highest possible CVE severity rating <https://arstechnica.com/information-technology/2021/12/the-log4shell-zeroday-4-days-on-what-is-it-and-how-bad-is-it-really/>. It’s a really, really stupid bug in a logging framework called Log4J, which is used by an incredible variety of Java-based applications, including Minecraft. Log messages are generated according to customizable format templates that the admin can specify. These templates allow the creation of a range of different messages, including all kinds of useful information which can aid in debugging, performance monitoring, usage statistics gathering etc. But one thing you should never, ever do is, having substituted some text from some random source (e.g. user input), go back and scan that text for format substitution codes. But that is what the buggy code does.