CVE-2026-40998

HIGH

Spring Web Services - Jaxp13 XPath XXE via StreamSource and SAXSource

Title source: rule

Description

Jaxp13XPathTemplate evaluated XPath expressions for StreamSource and SAXSource inputs using a code path that parsed attacker-controlled XML with the JDK's default DocumentBuilderFactory behavior instead of Spring's hardened parser configuration. Applications that evaluate XPath against untrusted XML payloads could therefore be exposed to XML External Entity (XXE) style attacks. Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.

References (1)

Core 1

Core References

https://spring.io/security/cve-2026-40998

Scores

CVSS v3 8.2

EPSS 0.0039

EPSS Percentile 30.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-611

Status published

Products (4)

Spring/Spring Web Services 3.1.0 - 3.1.9

Spring/Spring Web Services 4.0.0 - 4.0.19

Spring/Spring Web Services 4.1.0 - 4.1.4

Spring/Spring Web Services 5.0.0 - 5.0.2

Published Jun 11, 2026

Tracked Since Jun 11, 2026