MEDIUM 5.3

GHSA-vmm5-fjgx-2jhp

Apache CXF's WS-Transfer module has an insecure XML parser configuration

Details

Insecure XML parser configuration in Apache CXF's WS-Transfer module may allow attackers to perform XXE attacks. Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.

Are you affected?

Enter the version of the package you're using.

Affected packages

Maven / org.apache.cxf:cxf-rt-ws-transfer

Introduced in: 4.2.0 Fixed in: 4.2.1

Fix # pom.xml: bump <version>4.2.1</version> for org.apache.cxf:cxf-rt-ws-transfer

Maven / org.apache.cxf:cxf-rt-ws-transfer

Introduced in: 4.1.0 Fixed in: 4.1.6

Fix # pom.xml: bump <version>4.1.6</version> for org.apache.cxf:cxf-rt-ws-transfer

Maven / org.apache.cxf:cxf-rt-ws-transfer

Introduced in: 0 Fixed in: 3.6.11

Fix # pom.xml: bump <version>3.6.11</version> for org.apache.cxf:cxf-rt-ws-transfer

References

https://nvd.nist.gov/vuln/detail/CVE-2026-44618 [ADVISORY]
https://github.com/apache/cxf [PACKAGE]
https://lists.apache.org/thread/c7vb015f8ljmjl44030mn0yfq71f7sd7 [WEB]
http://www.openwall.com/lists/oss-security/2026/05/22/8 [WEB]