9.8

CVE-2026-49875

Apache CXF: XML External Entity (XXE) Injection in W3CMultiSchemaFactory and EndpointReferenceUtils

Apache CXF's EndpointReferenceUtils and W3CMultiSchemaFactory classes construct a SAXParserFactory without the necessary JAXP hardening configurations, enabling out-of-band (OOB) 
external entity resolution. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fix this issue.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
ApacheCxf Version < 4.1.7
ApacheCxf Version >= 4.2.0 < 4.2.2
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.52% 0.402
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
134c704f-9b21-4f2e-91b3-4a467353bcc0 6.5 2.8 3.6
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
0b0ca135-0b70-47e7-9f44-1890c2a1c46c 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE-611 Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

https://lists.apache.org/thread/3kb9w5bg90xcp06fccoz9k3gpsvyy79o
Vendor Advisory
http://www.openwall.com/lists/oss-security/2026/06/11/2
Third Party Advisory
Mailing List
https://bugzilla.redhat.com/show_bug.cgi?id=2488309
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-49875.json
https://access.redhat.com/errata/RHSA-2026:36839
https://access.redhat.com/security/cve/CVE-2026-49875
https://access.redhat.com/errata/RHSA-2026:37390