Skip to main content

Apache Cxf CVE-2026-44618

| EUVDEUVD-2026-31434
Improper Restriction of XML External Entity Reference (CWE-611)
2026-05-22 apache GHSA-vmm5-fjgx-2jhp
5.3
CVSS · NVD

Severity by source

NVD
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Patch available
May 26, 2026 - 14:16 EUVD
CVE Published
May 22, 2026 - 12:17 nvd
UNKNOWN (no severity yet)

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 2 maven packages depend on org.apache.cxf:cxf-rt-ws-transfer (2 direct, 0 indirect)

Ecosystem-wide dependent count for version 4.2.0.

DescriptionCVE.org

Insecure XML parser configuration in Apache CXF's WS-Transfer module may allow attackers to perform XXE attacks. Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.

Analysis

Insecure XML parser configuration in Apache CXF's WS-Transfer module may allow attackers to perform XXE attacks. Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.

Share

CVE-2026-44618 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy