πŸ” CVE Alert

CVE-2026-49875

UNKNOWN 0.0

Apache CXF: XML External Entity (XXE) Injection in W3CMultiSchemaFactory and EndpointReferenceUtils

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

Apache CXF's EndpointReferenceUtils and W3CMultiSchemaFactory classes construct a SAXParserFactory without the necessary JAXP hardening configurations, enabling out-of-band (OOB) external entity resolution.Β Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fix this issue.

CWE CWE-611
Vendor apache software foundation
Product apache cxf
Published Jun 12, 2026
Last Updated Jun 12, 2026
Stay Ahead of the Next One

Get instant alerts for apache software foundation apache cxf

Be the first to know when new unknown vulnerabilities affecting apache software foundation apache cxf are published β€” delivered to Slack, Telegram or Discord.

Get Free Alerts β†’ Free Β· No credit card Β· 60 sec setup

Affected Versions

Apache Software Foundation / Apache CXF
4.2.0 < 4.2.2 0 < 4.1.7

References

NVD β†— CVE.org β†— EPSS Data β†—
lists.apache.org: https://lists.apache.org/thread/3kb9w5bg90xcp06fccoz9k3gpsvyy79o openwall.com: http://www.openwall.com/lists/oss-security/2026/06/11/2

Credits

Venkatraman Kumar (r3dw0lfsec), Securin