CVE-2026-49875: Apache CXF's EndpointReferenceUtils and W3CMultiSchemaFactory classes construct a SAXParserFactory without the necessary
infovulnerability
security
Summary
Apache CXF's EndpointReferenceUtils and W3CMultiSchemaFactory classes create a SAXParserFactory (a tool for reading XML files) without proper security settings, allowing attackers to resolve external entities (files or data from outside sources) that shouldn't be accessible. This is a type of XML injection vulnerability (CWE-611) that could lead to unauthorized data access.
Solution / Mitigation
Users are recommended to upgrade to Apache CXF versions 4.2.2 or 4.1.7, which fix this issue.
Vulnerability Details
EPSS (30-day exploit probability)
EPSS: 0.0%
Disclosure Date
June 12, 2026
Classification
Attack SophisticationModerate
Taxonomy References
CWE (Weakness Type)
Monthly digest — independent AI security research
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-49875
First tracked: June 12, 2026 at 08:08 AM
Classified by LLM (prompt v3) · confidence: 95%