CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

NVD•added 2026/06/12 10:16 a.m.•8 views

CVE-2026-49875

Apache CXF's EndpointReferenceUtils and W3CMultiSchemaFactory classes construct a SAXParserFactory without the necessary JAXP hardening configurations, enabling out-of-band OOB external entity resolution. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fix this issue...

9.8CVSS0.00368EPSS

Exploits0References2

Vulnrichment•added 2026/06/12 8:54 a.m.•5 views

CVE-2026-49875 Apache CXF: XML External Entity (XXE) Injection in W3CMultiSchemaFactory and EndpointReferenceUtils

5.2AI score0.00368EPSS

Exploits0References1

CVE•added 2026/06/12 8:54 a.m.•61 views

CVE-2026-49875

Apache CXF is affected by an XML External Entity (XXE) issue described as CVE-2026-49875. The vulnerability arises because EndpointReferenceUtils and W3CMultiSchemaFactory construct a SAXParserFactory without proper JAXP hardening, enabling out-of-band (OOB) external entity resolution. Affected c...

9.8CVSS5.3AI score0.00368EPSS

Exploits0References2Affected Software1

Cvelist•added 2026/06/11 5:4 a.m.•26 views

CVE-2026-40998 Jaxp13 XPath XXE via StreamSource and SAXSource

Jaxp13XPathTemplate evaluated XPath expressions for StreamSource and SAXSource inputs using a code path that parsed attacker-controlled XML with the JDK's default DocumentBuilderFactory behavior instead of Spring's hardened parser configuration. Applications that evaluate XPath against untrusted...

8.2CVSS0.00352EPSS

Exploits0References1

Vulnrichment•added 2026/06/11 5:4 a.m.•9 views

CVE-2026-40998 Jaxp13 XPath XXE via StreamSource and SAXSource

8.2CVSS5.5AI score0.00352EPSS

Exploits0References1

Spring Security Advisories•added 2026/06/10 12:0 a.m.•5 views

CVE-2026-40998: Jaxp13 XPath XXE via StreamSource and SAXSource

Jaxp13XPathTemplate evaluated XPath expressions for StreamSource and SAXSource inputs using a code path that parsed attacker-controlled XML with the JDK’s default DocumentBuilderFactory behavior instead of Spring’s hardened parser configuration. Applications that evaluate XPath against untrusted...

8.2CVSS6AI score0.00352EPSS

Exploits0References1Affected Software1

Snyk•added 2026/06/10 12:0 a.m.•3 views

XML External Entity (XXE) Injection

Overview org.springframework.ws:spring-xml is a dependency of org.springframework.ws. Affected versions of this package are vulnerable to XML External Entity XXE Injection via the Jaxp13XPathTemplate class in Jaxp13XPathTemplate.java. When XPath expressions are evaluated against StreamSource and...

8.8CVSS5.7AI score0.00352EPSS

Exploits0References2

Tenable Nessus•added 2026/05/22 12:0 a.m.•8 views

Unity Linux 20.1060e / 20.1070e Security Update: rubygem-nokogiri (UTSA-2026-016636)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-016636 advisory. Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parse...

7.5CVSS7.2AI score0.01583EPSS

OSV•added 2026/05/08 5:46 a.m.•5 views

BIT-JRE-2024-40896

In libxml2 2.11 before 2.11.9, 2.12 before 2.12.9, and 2.13 before 2.13.3, the SAX parser can produce events for external entities even if custom SAX handlers try to override entity content by setting "checked". This makes classic XXE attacks possible...

9.1CVSS5.8AI score0.01192EPSS

Positive Technologies•added 2026/05/08 12:0 a.m.•11 views

PT-2026-38831

9.1CVSS5.8AI score0.01192EPSS

OSV•added 2026/05/06 2:44 p.m.•6 views

BIT-JAVA-MIN-2024-40896

OSV•added 2026/05/06 2:44 p.m.•3 views

BIT-JAVA-2024-40896

Positive Technologies•added 2026/05/06 12:0 a.m.•8 views

PT-2026-38017

Positive Technologies•added 2026/05/06 12:0 a.m.•11 views

PT-2026-37810