8.8
CVE-2026-50632
- EPSS 0.65%
- Veröffentlicht 12.06.2026 09:00:48
- Zuletzt bearbeitet 02.07.2026 12:17:32
- Quelle security@apache.org
- CVE-Watchlists
- Unerledigt
Apache CXF: JNDI Injection Vulnerability in JMSConfigFactory
A further incomplete fix for a previous advisory CVE-2026-44417 (Untrusted JMS configuration can lead to RCE) for Apache CXF has been identified, which can allow code execution capabilities, if untrusted users are allowed to configure JMS for Apache CXF. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.65% | 0.463 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 8.1 | 2.2 | 5.9 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
CWE-20 Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-502 Deserialization of Untrusted Data
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
https://lists.apache.org/thread/740ghch5z5y675cn2kzgtyo5k37n6qcw
https://access.redhat.com/security/cve/CVE-2026-50632
https://bugzilla.redhat.com/show_bug.cgi?id=2488304
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-50632.json