CyberSec.Space Logo
Back to CVE Browser

CVE-2026-49875

CRITICAL
9.8
CVSS Severity Score
EPSS Score0.0330%
EPSS Percentile14.21th
PublishedJun 12, 2026
Last ModifiedJun 15, 2026

Vulnerability Description

Apache CXF's EndpointReferenceUtils and W3CMultiSchemaFactory classes construct a SAXParserFactory without the necessary JAXP hardening configurations, enabling out-of-band (OOB) external entity resolution. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fix this issue.

Affected Platforms (CPE)

No CPE configurations currently published for this record.

References & Advisories

🔗 https://lists.apache.org/thread/3kb9w5bg90xcp06fccoz9k3gpsvyy79o
🔗 http://www.openwall.com/lists/oss-security/2026/06/11/2

Related Vulnerabilities

CVE-2026-4077210.0

Unauthenticated Arbitrary File Upload in GeekyBot <= 1.2.2 versions.

CVE-2026-2018210.0

May 2026: This security advisory provides the details and fix information for a vulnerability that was discovered and fixed after ...

CVE-2026-361110.0

The Honeywell IQ4x building management controller, exposes its full web-based HMI without authentication in its factory-default co...

CVE-2026-2012710.0

A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, Cisco Catalyst SD-WAN M...