CVE-2026-44618

Summary

Insecure XML parser configuration in Apache CXF's WS-Transfer module may allow attackers to perform XXE attacks. Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.

Affected Software

VendorProductVersion RangeStatus
Apache Software FoundationApache CXF4.2.0 < 4.2.1affected
Apache Software FoundationApache CXF4.0.0 < 4.1.6affected
Apache Software FoundationApache CXF0 < 3.6.11affected

Weaknesses

  • CWE-611: CWE-611 Improper Restriction of XML External Entity Reference

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References