oss-sec mailing list archives
CVE-2026-44618: Apache CXF: XXE vulnerability in WS-Transfer functionality
From: Colm O hEigeartaigh <coheigea () apache org>
Date: Fri, 22 May 2026 12:11:27 +0100
Severity: important Affected versions: - Apache CXF (org.apache.cxf:cxf-rt-ws-transfer) 4.2.0 before 4.2.1 - Apache CXF (org.apache.cxf:cxf-rt-ws-transfer) 4.0.0 before 4.1.6 - Apache CXF (org.apache.cxf:cxf-rt-ws-transfer) before 3.6.11 Description: Insecure XML parser configuration in Apache CXF's WS-Transfer module may allow attackers to perform XXE attacks. Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue. Credit: Credit to IcySun (icysun () qq com), 广东东方思维科技有限公司 (finder) References: https://cxf.apache.org/ https://www.cve.org/CVERecord?id=CVE-2026-44618
Current thread:
- CVE-2026-44618: Apache CXF: XXE vulnerability in WS-Transfer functionality Colm O hEigeartaigh (May 22)
