- Description
- Jaxp13XPathTemplate evaluated XPath expressions for StreamSource and SAXSource inputs using a code path that parsed attacker-controlled XML with the JDK's default DocumentBuilderFactory behavior instead of Spring's hardened parser configuration. Applications that evaluate XPath against untrusted XML payloads could therefore be exposed to XML External Entity (XXE) style attacks. Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.
- Source
- security@vmware.com
- NVD status
- Awaiting Analysis
CVSS 3.1
- Type
- Secondary
- Base score
- 8.2
- Impact score
- 4.2
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
- Severity
- HIGH
- security@vmware.com
- CWE-611
- Hype score
- Not currently trending
CVE-2026-40998: Critical Spring Web Services XXE Vulnerability https://t.co/zq6Zcm2PuI #Cyberupdates #Cybertechnews #Cybersecurity
@cybrsecpath
13 Jun 2026
19 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Spring Frameworkで深刻な脆弱性複数が修正。Spring SecurityのXSS CVE-2026-41003、Spring WSのSSRF CVE-2026-40999、XXEのCVE-2026-40998、検証バグのCVE-2026-40994。 https://t.co/yqUcJQ37xA
@__kokumoto
12 Jun 2026
569 Impressions
1 Retweet
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨*CVE* CVE-2026-40998 Jaxp13XPathTemplate evaluated XPath expressions for StreamSource and SAXSource inputs using a code path that parsed attacker-controlled XML with the JDK's default Doc… https://t.co/dLaSyXEknF ----- Traducción: CVE-2026-40998 Jax… https://t.co/utmtNg
@infoflowcloud
11 Jun 2026
28 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes