Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
2Blast Radius
ecosystem impact- 2 maven packages depend on org.apache.cxf:cxf-rt-ws-transfer (2 direct, 0 indirect)
Ecosystem-wide dependent count for version 4.2.0.
DescriptionCVE.org
Insecure XML parser configuration in Apache CXF's WS-Transfer module may allow attackers to perform XXE attacks. Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.
Analysis
Insecure XML parser configuration in Apache CXF's WS-Transfer module may allow attackers to perform XXE attacks. Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.
More in Apache Cxf
View allArbitrary certificate disclosure in Apache CXF's XKMS server lets remote attackers abuse an LDAP injection flaw (CWE-90)
Remote code execution in Apache CXF (versions before 3.6.11, 4.0.0-4.1.5, and 4.2.0) arises because the fix for CVE-2025
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31434
GHSA-vmm5-fjgx-2jhp