CVE-2026-49875

Published: Jun 12, 2026Modified: Jun 12, 2026

Description

Apache CXF's EndpointReferenceUtils and W3CMultiSchemaFactory classes construct a SAXParserFactory without the necessary JAXP hardening configurations, enabling out-of-band (OOB) external entity resolution. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fix this issue.

Related CWEs

CWE-611

Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

References (2)

https://lists.apache.org/thread/3kb9w5bg90xcp06fccoz9k3gpsvyy79o

Source: security@apache.org

http://www.openwall.com/lists/oss-security/2026/06/11/2

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.