CVE-2026-40998

CVE-2026-40998 : Jaxp13XPathTemplate evaluated XPath expressions for StreamSource and SAXSource inputs using the JDK default DocumentBuilderFactory behavior rather than Spring’s hardened parser configuration, exposing applications that evaluate XPath against untrusted XML to XML External Entity (...

Xxe

The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in...

Debian Security Advisory DSA 2842-1 (libspring-java - denial of service)

Alvaro Munoz discovered a XML External Entity XXE injection in the Spring Framework which can be used for conducting CSRF and DoS attacks on other sites. The Spring OXM wrapper did not expose any property for disabling entity resolution when using the JAXB unmarshaller. There are four possible...

DSA-2842-1 libspring-java - several

Bulletin has no description...

CVE-2013-4152 XML External Entity (XXE) injection in Spring Framework

Severity: Important Vendor: Spring by Pivotal Versions Affected: - 3.0.0 to 3.2.3 Spring OXM & Spring MVC - 4.0.0.M1 Spring OXM - 4.0.0.M1-4.0.0.M2 Spring MVC - Earlier unsupported versions may also be affected Description: The Spring OXM wrapper did not expose any property for disabling entity...