CVE-2026-49875
CriticalCVSS 9.8Exploitation Probability (EPSS)
Low risk38th percentile — higher than 38% of all known CVEs
Summary
A vulnerability in Apache CXF's EndpointReferenceUtils and W3CMultiSchemaFactory classes constructs a SAXParserFactory without the necessary JAXP hardening configurations, enabling out-of-band (OOB) external entity resolution.
Risk Assessment
An attacker could exploit this vulnerability to read files from the server, perform SSRF attacks, or leak sensitive data via OOB requests.
Recommendation
Upgrade Apache CXF to versions 4.2.2 or 4.1.7 immediately, which contain the fix for this issue.
Original NVD description (English source)
Apache CXF's EndpointReferenceUtils and W3CMultiSchemaFactory classes construct a SAXParserFactory without the necessary JAXP hardening configurations, enabling out-of-band (OOB) external entity resolution. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fix this issue.

