CVE Catalog

CVE-2026-40998

HighCVSS 8.2
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.35%

27th percentile - higher than 27% of all known CVEs

Summary

CVE-2026-40998 affects the Jaxp13XPathTemplate component, which evaluates XPath expressions for StreamSource and SAXSource inputs using the default DocumentBuilderFactory behavior of the JDK. This could lead to XML External Entity (XXE) attacks in applications processing untrusted XML data.

Risk Assessment

Organizations may be exposed to XXE attacks, potentially leading to data disclosure or unauthorized code execution. Applications evaluating XPath against untrusted XML payloads are particularly at risk.

Recommendation

It is recommended to upgrade to the latest version of Spring Web Services to benefit from the improved parser configuration. Additionally, avoid processing untrusted XML data without appropriate safeguards.

Original NVD description (English source)

Jaxp13XPathTemplate evaluated XPath expressions for StreamSource and SAXSource inputs using a code path that parsed attacker-controlled XML with the JDK's default DocumentBuilderFactory behavior instead of Spring's hardened parser configuration. Applications that evaluate XPath against untrusted XML payloads could therefore be exposed to XML External Entity (XXE) style attacks. Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS