Skip to main content

Spring Web Services CVE-2026-40998

| EUVD-2026-36208 HIGH
Improper Restriction of XML External Entity Reference (CWE-611)
2026-06-11 vmware GHSA-2mpf-m756-hxjm
Java XXE
8.2
CVSS 3.1 · Vendor: vmware
Share

Severity by source

Vendor (vmware) PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
vuln.today AI
8.2 HIGH

Network-reachable XML endpoint, no auth or UI, standard XXE technique gives high confidentiality (file/SSRF read) and limited integrity via response manipulation; no direct availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (vmware).

CVSS VectorVendor: vmware

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

2
Patch available
Jun 11, 2026 - 08:01 EUVD
Analysis Generated
Jun 11, 2026 - 07:00 vuln.today

DescriptionCVE.org

Jaxp13XPathTemplate evaluated XPath expressions for StreamSource and SAXSource inputs using a code path that parsed attacker-controlled XML with the JDK's default DocumentBuilderFactory behavior instead of Spring's hardened parser configuration. Applications that evaluate XPath against untrusted XML payloads could therefore be exposed to XML External Entity (XXE) style attacks.

Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.

Articles & Coverage 2

News 7 New Java Vulnerabilities - 7 High Severity, No Public POC Jun 12, 2026 News 7 New Java Vulnerabilities - 7 High Severity, No Public Exploits Jun 11, 2026

AnalysisAI

XML External Entity (XXE) exposure in Spring Web Services' Jaxp13XPathTemplate allows remote attackers to abuse XPath evaluation over StreamSource and SAXSource inputs because the underlying parser falls back to the JDK's default DocumentBuilderFactory rather than Spring's hardened configuration. Affected versions span the 3.1.x, 4.0.x, 4.1.x and 5.0.x release lines, and while no public exploit was identified at time of analysis, the CVSS 8.2 vector (AV:N/AC:L/PR:N/UI:N) indicates that any service that feeds untrusted XML through this template can be reached by unauthenticated remote attackers. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify endpoint accepting XML
Delivery
Send payload with external DOCTYPE entity
Exploit
Jaxp13XPathTemplate parses via default DocumentBuilderFactory
Execution
External entity resolved during parse
Impact
Exfiltrate file contents or SSRF response
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target application call Jaxp13XPathTemplate to evaluate XPath where the javax.xml.transform.Source is a StreamSource or SAXSource constructed from attacker-controlled XML (the DOMSource path uses a different, hardened parser and is not in scope). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N is consistent with classic XXE: network reachable, no authentication, no user interaction, high confidentiality impact (file/SSRF disclosure) and limited integrity impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A remote unauthenticated attacker submits an XML document containing an external entity declaration (e.g. <!ENTITY xxe SYSTEM "file:///etc/passwd">) to an application endpoint that internally invokes Jaxp13XPathTemplate.evaluate() with a StreamSource or SAXSource over the request body. …
Remediation Patch available per vendor advisory at https://spring.io/security/cve-2026-40998 - upgrade to the fixed release on the branch you run (5.0.x, 4.1.x, 4.0.x, or 3.1.x); the input data does not name a specific fixed version, so confirm the exact patched build against the Spring advisory before deploying. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory all applications using Spring Web Services 3.1.x, 4.0.x, 4.1.x, or 5.0.x and identify XML processing workflows. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-28575 CRITICAL
10.0 Jun 17

Local denial of service in Android's PackageInstaller subsystem stems from a logic error in PackageInstallerSession.tran
CVE-2026-41699 CRITICAL
9.8 Jun 11

Remote code execution in Spring for GraphQL versions 1.3.0-1.3.8, 1.4.0-1.4.5, and 2.0.0-2.0.3 allows unauthenticated at
CVE-2026-47835 HIGH
8.6 Jun 15

NoSQL/query injection in Spring AI Vector Stores (1.0.0-1.0.8 and 1.1.0-1.1.7) allows remote unauthenticated attackers t
CVE-2026-47825 HIGH
8.6 Jun 15

Origin validation failure in Spring Cloud Gateway (WebMVC and WebFlux Server variants) allows remote attackers to spoof

CVE-2026-40999 HIGH
8.6 Jun 11

Server-Side Request Forgery in Spring Web Services (versions 3.1.0-3.1.8, 4.0.0-4.0.18, 4.1.0-4.1.3, and 5.0.0-5.0.1) al

Share

CVE-2026-40998 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy