9.8
CVE-2026-49875
- EPSS 0.52%
- Veröffentlicht 12.06.2026 08:54:50
- Zuletzt bearbeitet 10.07.2026 12:17:07
- Quelle security@apache.org
- CVE-Watchlists
- Unerledigt
Apache CXF: XML External Entity (XXE) Injection in W3CMultiSchemaFactory and EndpointReferenceUtils
Apache CXF's EndpointReferenceUtils and W3CMultiSchemaFactory classes construct a SAXParserFactory without the necessary JAXP hardening configurations, enabling out-of-band (OOB) external entity resolution. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fix this issue.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.52% | 0.402 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 6.5 | 2.8 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
|
| 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
CWE-611 Improper Restriction of XML External Entity Reference
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
https://lists.apache.org/thread/3kb9w5bg90xcp06fccoz9k3gpsvyy79o
http://www.openwall.com/lists/oss-security/2026/06/11/2
https://bugzilla.redhat.com/show_bug.cgi?id=2488309
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-49875.json
https://access.redhat.com/errata/RHSA-2026:36839
https://access.redhat.com/security/cve/CVE-2026-49875
https://access.redhat.com/errata/RHSA-2026:37390