CVE-2026-44618

MEDIUM

Apache CXF: XXE vulnerability in WS-Transfer functionality

Title source: cna
STIX 2.1

Description

Insecure XML parser configuration in Apache CXF's WS-Transfer module may allow attackers to perform XXE attacks. Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.

References (2)

Core 2

Scores

CVSS v3 5.3
EPSS 0.0034
EPSS Percentile 25.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-611
Status published
Products (8)
apache/cxf 4.2.0
apache/cxf < 3.6.11
Apache Software Foundation/Apache CXF < 3.6.11
Apache Software Foundation/Apache CXF 4.0.0 - 4.1.6
Apache Software Foundation/Apache CXF 4.2.0 - 4.2.1
org.apache.cxf/cxf-rt-ws-transfer 0 - 3.6.11Maven
org.apache.cxf/cxf-rt-ws-transfer 4.1.0 - 4.1.6Maven
org.apache.cxf/cxf-rt-ws-transfer 4.2.0 - 4.2.1Maven
Published May 22, 2026
Tracked Since May 22, 2026