CVE-2026-49875

Vulnerability Description

Apache CXF's EndpointReferenceUtils and W3CMultiSchemaFactory classes construct a SAXParserFactory without the necessary JAXP hardening configurations, enabling out-of-band (OOB)
external entity resolution. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fix this issue.

Vulnerability Details

Published Date

June 12, 2026

Last Modified

June 12, 2026

CWE ID

CWE-611

Source

NVD

Vendor

Apache Software Foundation

Product

Apache CXF

External References

https://lists.apache.org/thread/3kb9w5bg90xcp06fccoz9k3gpsvyy79o
http://www.openwall.com/lists/oss-security/2026/06/11/2

CVE-2026-49875

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment