CVE-2026-40998
HighCVSS 8.2Exploitation Probability (EPSS)
Low risk27th percentile - higher than 27% of all known CVEs
Summary
CVE-2026-40998 affects the Jaxp13XPathTemplate component, which evaluates XPath expressions for StreamSource and SAXSource inputs using the default DocumentBuilderFactory behavior of the JDK. This could lead to XML External Entity (XXE) attacks in applications processing untrusted XML data.
Risk Assessment
Organizations may be exposed to XXE attacks, potentially leading to data disclosure or unauthorized code execution. Applications evaluating XPath against untrusted XML payloads are particularly at risk.
Recommendation
It is recommended to upgrade to the latest version of Spring Web Services to benefit from the improved parser configuration. Additionally, avoid processing untrusted XML data without appropriate safeguards.
Original NVD description (English source)
Jaxp13XPathTemplate evaluated XPath expressions for StreamSource and SAXSource inputs using a code path that parsed attacker-controlled XML with the JDK's default DocumentBuilderFactory behavior instead of Spring's hardened parser configuration. Applications that evaluate XPath against untrusted XML payloads could therefore be exposed to XML External Entity (XXE) style attacks. Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.

