CVE-2026-49875
Critical · CVSS 9.8Apache CXF — XML External Entity (XXE) injection via unsecured SAXParserFactory (CWE-611)
- CVSS
- 9.8
- nvd
- EPSS
- —
- KEV
- No
- Class
- other
- CWE-611
Description
Apache CXF's EndpointReferenceUtils and W3CMultiSchemaFactory classes construct a SAXParserFactory without the necessary JAXP hardening configurations, enabling out-of-band (OOB) external entity resolution. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fix this issue.
Search profile — drives PoC discovery
Symbols EndpointReferenceUtilsW3CMultiSchemaFactorySAXParserFactorySAXParserFactory without JAXP hardeningOOB external entity resolutionFEATURE_SECURE_PROCESSINGXMLConstants.FEATURE_SECURE_PROCESSING
Keywords CVE-2026-49875Apache CXF XXEApache CXF EndpointReferenceUtils XXEApache CXF W3CMultiSchemaFactory XXEApache CXF SAXParserFactory JAXP hardeningApache CXF OOB external entityApache CXF 4.2.2Apache CXF 4.1.7CXF XXE proof of conceptCXF external entity injection PoC
Versions: < 4.1.7, < 4.2.2 (fixed in 4.1.7 and 4.2.2)
References
Status: enriched · ingested 2026-06-15T18:00:58.000Z · profiled 2026-06-16T18:20:23.035Z