CVE-2026-49875

CVE-2026-49875: Apache CXF: XML External Entity (XXE) Injection in W3CMultiSchemaFactory and EndpointReferenceUtils

Vendor Apache Software Foundation

Product Apache CXF

Weakness CWE-611 · XXE

Published June 12, 2026

Last update June 15, 2026

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

Apache CXF's EndpointReferenceUtils and W3CMultiSchemaFactory classes construct a SAXParserFactory without the necessary JAXP hardening configurations, enabling out-of-band (OOB) external entity resolution. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fix this issue.

Key dates

Disclosure timeline

June 12, 2026 CVE published

June 15, 2026 Record updated

Identifiers

CVE CVE-2026-49875

CWE CWE-611

Affected versions

Vendor Apache Software Foundation

Product Apache CXF

Affected ≥ 4.2.0 and < 4.2.2

Vendor Apache Software Foundation

Product Apache CXF

Affected < 4.1.7