CVE-2026-40998 Jaxp13 XPath XXE via StreamSource and SAXSource

Jaxp13XPathTemplate evaluated XPath expressions for StreamSource and SAXSource inputs using a code path that parsed attacker-controlled XML with the JDK's default DocumentBuilderFactory behavior instead of Spring's hardened parser configuration. Applications that evaluate XPath against untrusted...

GHSA-3HRC-F439-727G Apache Camel XML External Entity vulnerability

XML external entity XXE vulnerability in the XML converter setup in converter/jaxp/XmlConverter.java in Apache Camel before 2.13.4 and 2.14.x before 2.14.2 allows remote attackers to read arbitrary files via an external entity in an SAXSource...

Camel: XXE in via SAXSource expansion

It was found that Apache Camel's XML converter performed XML External Entity XXE expansion. A remote attacker able to submit an SAXSource containing an XXE declaration could use this flaw to read files accessible to the user running the application server, and potentially perform other more...

Camel: XXE in via SAXSource expansion

It was found that Apache Camel's XML converter performed XML External Entity XXE expansion. A remote attacker able to submit an SAXSource containing an XXE declaration could use this flaw to read files accessible to the user running the application server, and potentially perform other more...

Camel: XXE in via SAXSource expansion

It was found that Apache Camel's XML converter performed XML External Entity XXE expansion. A remote attacker able to submit an SAXSource containing an XXE declaration could use this flaw to read files accessible to the user running the application server, and potentially perform other more...