EUVD-2026-36394
GHSA-xw5h-cmh3-8j6j
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Network-reachable XML parser with no auth/UI; OOB XXE typically crosses a security scope to internal systems (S:C), high confidentiality via exfiltration, lower I/A as direct write/DoS is secondary.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
6Description PRE-NVD
AnalysisAI
XML External Entity (XXE) processing in Apache CXF versions prior to 4.1.7 and 4.2.0-4.2.1 allows remote attackers to trigger out-of-band external entity resolution via the EndpointReferenceUtils and W3CMultiSchemaFactory classes, which instantiate SAXParserFactory without JAXP hardening. While CVSS scores this 9.8 critical, EPSS reports only 0.02% exploitation probability, and there is no public exploit identified at time of analysis. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The vulnerable code paths are in EndpointReferenceUtils and W3CMultiSchemaFactory; an exploitable deployment must process attacker-controlled XML through one of these classes, which typically occurs on CXF-based SOAP/WS-Addressing endpoints that accept external XML or W3C XML Schema documents. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals here conflict significantly and warrant careful interpretation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker submits a SOAP request or XML payload containing a crafted DOCTYPE with an external entity referencing an attacker-controlled URL (e.g., http://attacker.example/exfil?d=) to a CXF-based web service endpoint that funnels input through EndpointReferenceUtils or W3CMultiSchemaFactory. The unhardened SAX parser resolves the entity over the network, leaking server-side resources such as internal HTTP responses, cloud metadata endpoints, or file contents back to the attacker out-of-band. … |
| Remediation | Vendor-released patch: upgrade to Apache CXF 4.2.2 or 4.1.7, which add the missing JAXP hardening to EndpointReferenceUtils and W3CMultiSchemaFactory. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify all systems running Apache CXF and determine current versions; prioritize systems that process external XML input. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Authentication bypass in Apache CXF's OAuthRequestFilter affects versions prior to 4.1.7 and 4.2.0-4.2.1, where an inver
Token confusion in Apache CXF's JwtAccessTokenValidator allows an attacker holding a valid JWT issued for one Resource S
Remote code execution in Apache CXF versions 4.2.0 through 4.2.1 and all versions prior to 4.1.7 can occur when untruste
Remote code execution in Apache CXF's JCA integration module allows attackers to achieve arbitrary code execution via JN
HTTP Response Splitting via CRLF injection in Apache CXF's OAuth2 module allows an attacker who controls the WWW-Authent
Vendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today