{"data":{"id":"0ca4fb2e-1f7c-47bf-8e35-c46b926a1c1e","title":"CVE-2026-40998: Jaxp13XPathTemplate evaluated XPath expressions for StreamSource and SAXSource inputs using a code path that parsed atta","summary":"A vulnerability in Spring Web Services allows attackers to exploit XML parsing by sending malicious XML to applications that evaluate XPath expressions. The flaw occurs because the software uses Java's default XML parser instead of Spring's safer parser configuration, making it susceptible to XXE attacks (XML External Entity attacks, where attackers embed malicious references in XML files to access unauthorized data or execute commands).","solution":"N/A -- no mitigation discussed in source.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2026-40998","publishedAt":"2026-06-11T07:16:27.787Z","cveId":"CVE-2026-40998","cweIds":["CWE-611"],"cvssScore":"8.2","cvssSeverity":"high","severity":"high","attackType":["other"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":[],"affectedVendorsRaw":["Spring Web Services"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N","attackVector":"network","attackComplexity":"low","privilegesRequired":"none","userInteraction":"none","exploitMaturity":"unknown","epssScore":0,"patchAvailable":null,"disclosureDate":"2026-06-11T07:16:27.787Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["confidentiality","integrity"],"aiComponentTargeted":null,"llmSpecific":false,"classifierConfidence":0.65,"researchCategory":null,"atlasIds":null}}