CVE-2026-49875NVD

Vulnerability Summary

Apache CXF's EndpointReferenceUtils and W3CMultiSchemaFactory classes construct a SAXParserFactory without the necessary JAXP hardening configurations, enabling out-of-band (OOB)
external entity resolution. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fix this issue.

Severity Level

UNKNOWN

Published Date

Jun 12, 2026

Last Modified

Jun 12, 2026

Exploitation Status

????

EPSS Score (30-Day)

0.02%Probability

Root Weakness (CWE)

CWE-611: Unknown/Unlisted Weakness ↗

Refer to the official MITRE database for detailed architectural specifications regarding this weakness.

External References

https://lists.apache.org/thread/3kb9w5bg90xcp06fccoz9k3gpsvyy79o
http://www.openwall.com/lists/oss-security/2026/06/11/2

Critical Alert 1 Active Exploit Detected Today

CVE Watchtower

CVE-2026-49875NVD

Vulnerability Summary

External References