Primary

Context

Apache CXF WS-Transfer Module Insecure XML Parser Configuration Leading to XXE Vulnerability

Vulnerability

Patched

A vulnerability exists in the WS-Transfer module of Apache CXF due to an insecure XML parser configuration, which may allow attackers to conduct XML External Entity (XXE) attacks. This issue affects Apache CXF versions 4.2.0 prior to 4.2.1, 4.0.0 prior to 4.1.6, and versions prior to 3.6.11.

Impact

Exploitation of this vulnerability could lead to XXE attacks, allowing attackers to interfere with the application’s processing of XML, potentially accessing internal files or services.

Remediation

Users are advised to upgrade to Apache CXF versions 4.2.1, 4.1.6, or 3.6.11, all of which address this vulnerability.

Added: May 26, 2026, 4:18 PM

Updated: May 26, 2026, 4:18 PM

Vulnerability Rating

Custom Algorithm

spread

2.4

impact

0.6

exploitability

4.7

remediation

7.7

relevance

9.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.4

impact

0.6

exploitability

4.7

remediation

7.7

relevance

9.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Apache CXF WS-Transfer Module Insecure XML Parser Configuration Leading to XXE Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Apache CXF

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating