Severity: important Affected versions:
- Apache CXF (org.apache.cxf:cxf-rt-ws-transfer) 4.2.0 before 4.2.1 - Apache CXF (org.apache.cxf:cxf-rt-ws-transfer) 4.0.0 before 4.1.6 - Apache CXF (org.apache.cxf:cxf-rt-ws-transfer) before 3.6.11 Description: Insecure XML parser configuration in Apache CXF's WS-Transfer module may allow attackers to perform XXE attacks. Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue. Credit: Credit to IcySun ([email protected]), 广东东方思维科技有限公司 (finder) References: https://cxf.apache.org/ https://www.cve.org/CVERecord?id=CVE-2026-44618
