{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-49875", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2026-06-02T08:45:53.536Z", "datePublished": "2026-06-12T08:54:50.103Z", "dateUpdated": "2026-06-15T19:21:20.691Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected", "packageName": "org.apache.cxf:cxf-core", "product": "Apache CXF", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "4.2.2", "status": "affected", "version": "4.2.0", "versionType": "semver"}, {"lessThan": "4.1.7", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Venkatraman Kumar (r3dw0lfsec), Securin"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Apache CXF's EndpointReferenceUtils and W3CMultiSchemaFactory classes construct a SAXParserFactory without the necessary JAXP hardening configurations, enabling out-of-band (OOB) \nexternal entity resolution.&nbsp;Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fix this issue.<br><br>"}], "value": "Apache CXF's EndpointReferenceUtils and W3CMultiSchemaFactory classes construct a SAXParserFactory without the necessary JAXP hardening configurations, enabling out-of-band (OOB) \nexternal entity resolution.\u00a0Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fix this issue."}], "metrics": [{"other": {"content": {"text": "important"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-611", "description": "CWE-611 Improper Restriction of XML External Entity Reference", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-06-12T08:54:50.103Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/3kb9w5bg90xcp06fccoz9k3gpsvyy79o"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache CXF: XML External Entity (XXE) Injection in W3CMultiSchemaFactory and EndpointReferenceUtils", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/06/11/2"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-06-12T09:27:54.123Z"}}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-06-15T19:21:17.668934Z", "id": "CVE-2026-49875", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-15T19:21:20.691Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-49875", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2026-06-02T08:45:53.536Z", "datePublished": "2026-06-12T08:54:50.103Z", "dateUpdated": "2026-06-15T19:21:20.691Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected", "packageName": "org.apache.cxf:cxf-core", "product": "Apache CXF", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "4.2.2", "status": "affected", "version": "4.2.0", "versionType": "semver"}, {"lessThan": "4.1.7", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Venkatraman Kumar (r3dw0lfsec), Securin"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Apache CXF's EndpointReferenceUtils and W3CMultiSchemaFactory classes construct a SAXParserFactory without the necessary JAXP hardening configurations, enabling out-of-band (OOB) \nexternal entity resolution.&nbsp;Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fix this issue.<br><br>"}], "value": "Apache CXF's EndpointReferenceUtils and W3CMultiSchemaFactory classes construct a SAXParserFactory without the necessary JAXP hardening configurations, enabling out-of-band (OOB) \nexternal entity resolution.\u00a0Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fix this issue."}], "metrics": [{"other": {"content": {"text": "important"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-611", "description": "CWE-611 Improper Restriction of XML External Entity Reference", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-06-12T08:54:50.103Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/3kb9w5bg90xcp06fccoz9k3gpsvyy79o"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache CXF: XML External Entity (XXE) Injection in W3CMultiSchemaFactory and EndpointReferenceUtils", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/06/11/2"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-06-12T09:27:54.123Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-49875", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-15T19:21:17.668934Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-15T18:31:41.093Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:cxf:*:*:*:*:*:*:*:*", "matchCriteriaId": "C0505632-D713-4EFC-B857-12EBD5C3DF33", "versionEndExcluding": "4.1.7", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:cxf:*:*:*:*:*:*:*:*", "matchCriteriaId": "B1BF06FC-96AD-4663-9959-1B1493D4A2A0", "versionEndExcluding": "4.2.2", "versionStartIncluding": "4.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Apache CXF's EndpointReferenceUtils and W3CMultiSchemaFactory classes construct a SAXParserFactory without the necessary JAXP hardening configurations, enabling out-of-band (OOB) \nexternal entity resolution.\u00a0Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fix this issue."}], "id": "CVE-2026-49875", "lastModified": "2026-06-15T21:17:22.760", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "[email protected]", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-06-12T10:16:22.340", "references": [{"source": "[email protected]", "tags": ["Vendor Advisory"], "url": "https://lists.apache.org/thread/3kb9w5bg90xcp06fccoz9k3gpsvyy79o"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2026/06/11/2"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}], "source": "[email protected]", "type": "Secondary"}]}

{"bugzilla": {"description": "cxf: org.apache.cxf/cxf-core: Apache CXF: Information disclosure via out-of-band external entity resolution due to missing JAXP hardening", "id": "2488309", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2488309"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-611", "details": ["Apache CXF's EndpointReferenceUtils and W3CMultiSchemaFactory classes construct a SAXParserFactory without the necessary JAXP hardening configurations, enabling out-of-band (OOB) \nexternal entity resolution.\u00a0Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fix this issue.", "A flaw was found in Apache CXF. The EndpointReferenceUtils and W3CMultiSchemaFactory classes within Apache CXF construct a SAXParserFactory without proper security configurations. This oversight enables out-of-band (OOB) external entity resolution, a type of XML External Entity (XXE) vulnerability. A remote attacker could exploit this to disclose sensitive information from the affected system."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-49875", "package_state": [{"cpe": "cpe:/a:redhat:camel_quarkus:3", "fix_state": "Affected", "package_name": "cxf-core", "product_name": "Red Hat build of Apache Camel 4 for Quarkus 3"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:4", "fix_state": "Affected", "package_name": "cxf-core", "product_name": "Red Hat build of Apache Camel for Spring Boot 4"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Fix deferred", "package_name": "cxf-core", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Fix deferred", "package_name": "cxf-core", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Affected", "package_name": "cxf-core", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Affected", "package_name": "cxf-core", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5", "fix_state": "Fix deferred", "package_name": "cxf-core", "product_name": "Red Hat JBoss Web Server 5"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Fix deferred", "package_name": "cxf-core", "product_name": "Red Hat Single Sign-On 7"}], "public_date": "2026-06-12T08:54:50Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-49875\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-49875\nhttp://www.openwall.com/lists/oss-security/2026/06/11/2\nhttps://lists.apache.org/thread/3kb9w5bg90xcp06fccoz9k3gpsvyy79o"], "statement": "This is an Important information disclosure vulnerability in Apache CXF, affecting Red Hat products that bundle the component, such as Enterprise Application Platform, JBoss Web Server, and Red Hat Single Sign-On. The flaw allows a remote attacker to disclose sensitive information due to improper XML parsing configurations, which can be exploited without user interaction.", "threat_severity": "Important"}