Jaxp13 XPath XXE via StreamSource and SAXSource_CVE-2026-40998

8.2 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Description

Jaxp13XPathTemplate evaluated XPath expressions for StreamSource and SAXSource inputs using a code path that parsed attacker-controlled XML with the JDK's default DocumentBuilderFactory behavior instead of Spring's hardened parser configuration. Applications that evaluate XPath against untrusted XML payloads could therefore be exposed to XML External Entity (XXE) style attacks.

Affected versions:
Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.

Basic Information

ID CVE-2026-40998

Source vmware

Published Jun 11, 2026 at 05:04

Affected Product

Vendor Spring

Product Spring Web Services

Version 5.0.0

Affected Versions Spring Spring Web Services 5.0.0
Spring Spring Web Services 4.1.0
Spring Spring Web Services 4.0.0
Spring Spring Web Services 3.1.0

CWE Classification

CWE-611

References

spring.io /security/cve-2026-40998

{
    "lastseen": "",
    "description": "Jaxp13XPathTemplate evaluated XPath expressions for StreamSource and SAXSource inputs using a code path that parsed attacker-controlled XML with the JDK's default DocumentBuilderFactory behavior instead of Spring's hardened parser configuration. Applications that evaluate XPath against untrusted XML payloads could therefore be exposed to XML External Entity (XXE) style attacks.\n\nAffected versions:\nSpring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.",
    "published": "2026-06-11T05:04:12.565Z",
    "modified": "2026-06-11T05:04:12.565Z",
    "type": "cve",
    "title": "Jaxp13 XPath XXE via StreamSource and SAXSource",
    "source": "vmware",
    "references": "https://spring.io/security/cve-2026-40998",
    "id": "CVE-2026-40998",
    "bulletinFamily": "",
    "cwe": [
        "CWE-611"
    ],
    "cvelist": null,
    "sourceData": "Spring Spring Web Services 5.0.0\nSpring Spring Web Services 4.1.0\nSpring Spring Web Services 4.0.0\nSpring Spring Web Services 3.1.0",
    "sourceHref": "",
    "cvss": {
        "score": 8.2,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Spring Web Services",
    "version": "5.0.0",
    "vendor": "Spring",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}