CVE-2026-44618

CVE-2026-44618: Apache CXF: XXE vulnerability in WS-Transfer functionality

Vendor Apache Software Foundation

Product Apache CXF

Weakness CWE-611 · XXE

Published May 22, 2026

Last update May 22, 2026

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

Insecure XML parser configuration in Apache CXF's WS-Transfer module may allow attackers to perform XXE attacks. Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.

Key dates

Disclosure timeline

May 22, 2026 CVE published

May 22, 2026 Record updated

Identifiers

CVE CVE-2026-44618

CWE CWE-611

Affected versions

Vendor Apache Software Foundation

Product Apache CXF

Affected ≥ 4.2.0 and < 4.2.1

Vendor Apache Software Foundation

Product Apache CXF

Affected ≥ 4.0.0 and < 4.1.6

Vendor Apache Software Foundation

Product Apache CXF

Affected < 3.6.11