CVE-2026-49875
Apache CXF's EndpointReferenceUtils and W3CMultiSchemaFactory classes construct a SAXParserFactory without the necessary JAXP hardening conf
CVSS
9.8
Critical
EPSS
0.5%
p41
KEV
—
Exploit Today
12
0-100
Published: Jun 12, 2026 · Last modified: Jul 15, 2026 · CWE-611
0.5%EPSS · 30 days0.5%
2026-06-302026-07-17
Apache CXF's EndpointReferenceUtils and W3CMultiSchemaFactory classes construct a SAXParserFactory without the necessary JAXP hardening configurations, enabling out-of-band (OOB) external entity resolution. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fix this issue.
- lists.apache.orghttps://lists.apache.org/thread/3kb9w5bg90xcp06fccoz9k3gpsvyy79o
- www.openwall.comhttp://www.openwall.com/lists/oss-security/2026/06/11/2
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:36839
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:37390
- access.redhat.comhttps://access.redhat.com/security/cve/CVE-2026-49875
- bugzilla.redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2488309
- security.access.redhat.comhttps://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-49875.json
CVECVSSEPSSKEVRExploitTitleMod.
CVE-2025-684938.1 HIG97.5%
——29Missing XML Validation vulnerability in Apache Struts, Apache Struts.
This issue affects Apache Struts: from 2.0.0 before 2.2.1; Apache Struts: from 2.2.1 through 6.1.0.
Users are recommended to upgrade to version 6.1.1, which fixes the issue.3dCVE-2026-261717.5 HIG75.4%
——23Uncontrolled resource consumption in .NET allows an unauthorized attacker to deny service over a network.3dCVE-2020-259129.1 CRI68.1%
——20A XML External Entity (XXE) vulnerability was discovered in symphony\lib\toolkit\class.xmlelement.php in Symphony 2.7.10 which can lead to an information disclosure or denial of service (DOS).9dCVE-2023-269999.8 CRI60.5%
——18An issue found in NetScout nGeniusOne v.6.3.4 allows a remote attacker to execute arbitrary code and cause a denial of service via a crafted file.9dCVE-2021-450249.8 CRI59.5%
——18ASG technologies ( A Rocket Software Company) ASG-Zena Cross Platform Server Enterprise Edition 4.2.1 is vulnerable to XML External Entity (XXE).9dCVE-2023-241877.8 HIG56.2%
——17An XML External Entity (XXE) vulnerability in ureport v2.2.9 allows attackers to execute arbitrary code via uploading a crafted XML file to /ureport/designer/saveReportFile.9d