Lucene search
K

9801 matches found

Snyk
Snyk
added 2026/06/12 11:10 a.m.6 views

XML External Entity (XXE) Injection

Overview org.apache.cxf:cxf-core is an an open source services framework. CXF helps you build and develop services using frontend programming APIs, like JAX-WS and JAX-RS. Affected versions of this package are vulnerable to XML External Entity XXE Injection due to improper configuration of the...

9.8CVSS5.7AI score0.00485EPSS
Exploits0References2
NVD
NVD
added 2026/06/12 10:16 a.m.11 views

CVE-2026-49875

Apache CXF's EndpointReferenceUtils and W3CMultiSchemaFactory classes construct a SAXParserFactory without the necessary JAXP hardening configurations, enabling out-of-band OOB external entity resolution. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fix this issue...

9.8CVSS0.00485EPSS
Exploits0References6
Cvelist
Cvelist
added 2026/06/12 8:54 a.m.52 views

CVE-2026-49875 Apache CXF: XML External Entity (XXE) Injection in W3CMultiSchemaFactory and EndpointReferenceUtils

Apache CXF's EndpointReferenceUtils and W3CMultiSchemaFactory classes construct a SAXParserFactory without the necessary JAXP hardening configurations, enabling out-of-band OOB external entity resolution. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fix this issue...

0.00485EPSS
Exploits0References1
CVE
CVE
added 2026/06/12 8:54 a.m.102 views

CVE-2026-49875

Apache CXF is affected by an XML External Entity (XXE) issue described as CVE-2026-49875. The vulnerability arises because EndpointReferenceUtils and W3CMultiSchemaFactory construct a SAXParserFactory without proper JAXP hardening, enabling out-of-band (OOB) external entity resolution. Affected c...

9.8CVSS5.3AI score0.00485EPSS
Exploits0References6Affected Software1
EUVD
EUVD
added 2026/06/12 8:54 a.m.16 views

EUVD-2026-36394

Apache CXF's EndpointReferenceUtils and W3CMultiSchemaFactory classes construct a SAXParserFactory without the necessary JAXP hardening configurations, enabling out-of-band OOB external entity resolution. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fix this issue...

5.2AI score0.00485EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/06/12 8:54 a.m.7 views

CVE-2026-49875 Apache CXF: XML External Entity (XXE) Injection in W3CMultiSchemaFactory and EndpointReferenceUtils

Apache CXF's EndpointReferenceUtils and W3CMultiSchemaFactory classes construct a SAXParserFactory without the necessary JAXP hardening configurations, enabling out-of-band OOB external entity resolution. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fix this issue...

5.2AI score0.00485EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/12 12:0 a.m.13 views

PT-2026-48844

Name of the Vulnerable Software and Affected Versions Apache CXF versions prior to 4.2.2 Apache CXF versions prior to 4.1.7 Description The EndpointReferenceUtils and W3CMultiSchemaFactory classes construct a SAXParserFactory without the required JAXP hardening configurations. This allows for...

9.8CVSS5.3AI score0.00485EPSS
Exploits0References7
Tenable Nessus
Tenable Nessus
added 2026/06/12 12:0 a.m.13 views

EulerOS Virtualization 2.13.1 : expat (EulerOS-SA-2026-2369)

According to the versions of the expat packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : libexpat before 2.7.5 allows a NULL pointer dereference in the function setContext on retry after an earlier ouf-of-memory...

5.5CVSS5.5AI score0.00216EPSS
Exploits1References4
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/11 9:35 a.m.10 views

Malicious code in clsx-tailwind (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6e1efb9d7593baede89024227d99cc6ca9fc0c86e1f0faf8dd78560174cf1b39 Package advertises a trivial Tailwind class-name merger a 5-line cn helper but its main entry dist/index.js unconditionally requires...

5.5AI score
Exploits0References2
NCSC
NCSC
added 2026/06/11 8:15 a.m.17 views

Vulnerabilities in Adobe ColdFusion

Adobe has addressed several vulnerabilities in Adobe ColdFusion versions 2023.19, 2025.8, and earlier versions. These vulnerabilities include improper input validation, which allows arbitrary code to be executed without user interaction. There is also a path traversal vulnerability that enables...

10CVSS6.3AI score0.08871EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/11 5:4 a.m.14 views

EUVD-2026-36208

Jaxp13XPathTemplate evaluated XPath expressions for StreamSource and SAXSource inputs using a code path that parsed attacker-controlled XML with the JDK's default DocumentBuilderFactory behavior instead of Spring's hardened parser configuration. Applications that evaluate XPath against untrusted...

8.2CVSS5.5AI score0.00352EPSS
Exploits0References1
CVE
CVE
added 2026/06/11 5:4 a.m.37 views

CVE-2026-40998

CVE-2026-40998 : Jaxp13XPathTemplate evaluated XPath expressions for StreamSource and SAXSource inputs using the JDK default DocumentBuilderFactory behavior rather than Spring’s hardened parser configuration, exposing applications that evaluate XPath against untrusted XML to XML External Entity (...

8.2CVSS5.5AI score0.00352EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/06/11 5:4 a.m.11 views

CVE-2026-40998 Jaxp13 XPath XXE via StreamSource and SAXSource

Jaxp13XPathTemplate evaluated XPath expressions for StreamSource and SAXSource inputs using a code path that parsed attacker-controlled XML with the JDK's default DocumentBuilderFactory behavior instead of Spring's hardened parser configuration. Applications that evaluate XPath against untrusted...

8.2CVSS5.5AI score0.00352EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/11 5:4 a.m.32 views

CVE-2026-40998 Jaxp13 XPath XXE via StreamSource and SAXSource

Jaxp13XPathTemplate evaluated XPath expressions for StreamSource and SAXSource inputs using a code path that parsed attacker-controlled XML with the JDK's default DocumentBuilderFactory behavior instead of Spring's hardened parser configuration. Applications that evaluate XPath against untrusted...

8.2CVSS0.00352EPSS
Exploits0References1
Tenable Nessus
Tenable Nessus
added 2026/06/11 12:0 a.m.10 views

Fedora 44 : xmlstarlet (2026-dbf44e0b72)

The remote Fedora 44 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-dbf44e0b72 advisory. Fixes XML external entity vulnerability. For more information, refer to . Tenable has extracted the preceding description block directly from the Fedora...

5.6AI score
Exploits0References1
CNNVD
CNNVD
added 2026/06/11 12:0 a.m.26 views

VMware Spring Web Services 代码问题漏洞

VMware Spring Web Services is a SOAP Web services development framework provided by the American company VMware. There are code vulnerabilities in versions 5.0.0 to 5.0.1, 4.1.0 to 4.1.3, 4.0.0 to 4.0.18, and 3.1.0 to 3.1.8 of VMware Spring Web Services. These vulnerabilities stem from the defaul...

8.2CVSS5.5AI score0.00352EPSS
Exploits0References1
Tenable Nessus
Tenable Nessus
added 2026/06/11 12:0 a.m.11 views

Fedora 43 : xmlstarlet (2026-3c78c99467)

The remote Fedora 43 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-3c78c99467 advisory. Fixes XML external entity vulnerability. For more information, refer to . Tenable has extracted the preceding description block directly from the Fedora...

5.6AI score
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/10 9:2 p.m.10 views

CVE-2026-47960

ColdFusion versions 2023.19, 2025.8 and earlier are affected by an Improper Restriction of XML External Entity Reference 'XXE' vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files and directories outside the intended...

7.4CVSS5.6AI score0.00406EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/10 2:59 p.m.13 views

CVE-2026-8045

CWE-611 Improper Restriction of XML External Entity Reference vulnerability exists that could cause information disclosure of server-side file contents when an attacker with a Data Center Expert user account submits crafted XML payloads to SOAP service endpoints...

7.1CVSS5.4AI score0.00233EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/10 12:31 a.m.12 views

EUVD-2026-35885

When using spring-restdocs-webtestclient or spring-restdocs-restassured to document a remote API accessed over HTTP, an attacker who compromises the API or tricks the user into documenting a malicious API can perform an XXE injection attack when the documentation-generating tests are next execute...

5.9CVSS5.5AI score0.00223EPSS
Exploits0References2
Rows per page
Query Builder