CVE Catalog

CVE-2026-49875

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.49%

38th percentile — higher than 38% of all known CVEs

Summary

A vulnerability in Apache CXF's EndpointReferenceUtils and W3CMultiSchemaFactory classes constructs a SAXParserFactory without the necessary JAXP hardening configurations, enabling out-of-band (OOB) external entity resolution.

Risk Assessment

An attacker could exploit this vulnerability to read files from the server, perform SSRF attacks, or leak sensitive data via OOB requests.

Recommendation

Upgrade Apache CXF to versions 4.2.2 or 4.1.7 immediately, which contain the fix for this issue.

Original NVD description (English source)

Apache CXF's EndpointReferenceUtils and W3CMultiSchemaFactory classes construct a SAXParserFactory without the necessary JAXP hardening configurations, enabling out-of-band (OOB) external entity resolution. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fix this issue.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS