CVE-2026-49875 PUBLISHED

Apache CXF: XML External Entity (XXE) Injection in W3CMultiSchemaFactory and EndpointReferenceUtils

Assigner: apache
Reserved: 02.06.2026 Published: 12.06.2026 Updated: 12.06.2026

Apache CXF's EndpointReferenceUtils and W3CMultiSchemaFactory classes construct a SAXParserFactory without the necessary JAXP hardening configurations, enabling out-of-band (OOB) external entity resolution. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fix this issue.

Product Status

Vendor	Apache Software Foundation
Product	Apache CXF
Versions	Default: unaffected affected from 4.2.0 to 4.2.2 (excl.) affected from 0 to 4.1.7 (excl.)

Credits

Venkatraman Kumar (r3dw0lfsec), Securin finder

References

https://lists.apache.org/thread/3kb9w5bg90xcp06fccoz9k3gpsvyy79o

Problem Types

CWE-611 Improper Restriction of XML External Entity Reference CWE