AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2026-40998: Jaxp13XPathTemplate evaluated XPath expressions for StreamSource and SAXSource inputs using a code path that parsed atta

highvulnerability

security

Source: NVD/CVE DatabaseJune 11, 2026CVE-2026-40998

Summary

A vulnerability in Spring Web Services allows attackers to exploit XML parsing by sending malicious XML to applications that evaluate XPath expressions. The flaw occurs because the software uses Java's default XML parser instead of Spring's safer parser configuration, making it susceptible to XXE attacks (XML External Entity attacks, where attackers embed malicious references in XML files to access unauthorized data or execute commands).

Vulnerability Details

CVSS Score

8.2(high)

EPSS (30-day exploit probability)

EPSS: 0.0%

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Attack Vector

network

Attack Complexity

low

Privileges Required

none

User Interaction

none

Disclosure Date

June 11, 2026

Classification

Attack Type

Other

Attack SophisticationModerate

Impact (CIA+S)

confidentialityintegrity

Taxonomy References

CWE (Weakness Type)

CWE-611

Affected Vendors

Related Issues

high

CVE-2022-21727: Tensorflow is an Open Source Machine Learning Framework. The implementation of shape inference for `Dequantize` is vulne

Similar attackNVD/CVE Database

high

GHSA-w3hv-x4fp-6h6j: @grackle-ai/server has Missing WebSocket Origin Header Validation

Similar attack

Monthly digest — independent AI security research

Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-40998

First tracked: June 11, 2026 at 08:03 AM

Classified by LLM (prompt v3) · confidence: 65%