{"api_version":"1","generated_at":"2026-06-11T18:46:32+00:00","cve":"CVE-2026-40998","urls":{"html":"https://cve.report/CVE-2026-40998","api":"https://cve.report/api/cve/CVE-2026-40998.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-40998","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-40998"},"summary":{"title":"Jaxp13 XPath XXE via StreamSource and SAXSource","description":"Jaxp13XPathTemplate evaluated XPath expressions for StreamSource and SAXSource inputs using a code path that parsed attacker-controlled XML with the JDK's default DocumentBuilderFactory behavior instead of Spring's hardened parser configuration. Applications that evaluate XPath against untrusted XML payloads could therefore be exposed to XML External Entity (XXE) style attacks.\n\nAffected versions:\nSpring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.","state":"PUBLISHED","assigner":"vmware","published_at":"2026-06-11 07:16:27","updated_at":"2026-06-11 15:21:30"},"problem_types":["CWE-611","CWE-611 CWE-611: Improper Restriction of XML External Entity Reference"],"metrics":[{"version":"3.1","source":"security@vmware.com","type":"Secondary","score":"8.2","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N","baseScore":8.2,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"LOW","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"CVSS","score":"8.2","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":8.2,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"LOW","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N","version":"3.1"}}],"references":[{"url":"https://spring.io/security/cve-2026-40998","name":"https://spring.io/security/cve-2026-40998","refsource":"security@vmware.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-40998","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40998","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Spring","product":"Spring Web Services","version":"affected 5.0.0 5.0.2 custom","platforms":[]},{"source":"CNA","vendor":"Spring","product":"Spring Web Services","version":"affected 4.1.0 4.1.4 custom","platforms":[]},{"source":"CNA","vendor":"Spring","product":"Spring Web Services","version":"affected 4.0.0 4.0.19 custom","platforms":[]},{"source":"CNA","vendor":"Spring","product":"Spring Web Services","version":"affected 3.1.0 3.1.9 custom","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Spring Web Services","vendor":"Spring","versions":[{"lessThan":"5.0.2","status":"affected","version":"5.0.0","versionType":"custom"},{"lessThan":"4.1.4","status":"affected","version":"4.1.0","versionType":"custom"},{"lessThan":"4.0.19","status":"affected","version":"4.0.0","versionType":"custom"},{"lessThan":"3.1.9","status":"affected","version":"3.1.0","versionType":"custom"}]}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Jaxp13XPathTemplate evaluated XPath expressions for StreamSource and SAXSource inputs using a code path that parsed attacker-controlled XML with the JDK's default DocumentBuilderFactory behavior instead of Spring's hardened parser configuration. Applications that evaluate XPath against untrusted XML payloads could therefore be exposed to XML External Entity (XXE) style attacks.\n\nAffected versions:\nSpring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8."}],"value":"Jaxp13XPathTemplate evaluated XPath expressions for StreamSource and SAXSource inputs using a code path that parsed attacker-controlled XML with the JDK's default DocumentBuilderFactory behavior instead of Spring's hardened parser configuration. Applications that evaluate XPath against untrusted XML payloads could therefore be exposed to XML External Entity (XXE) style attacks.\n\nAffected versions:\nSpring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8."}],"impacts":[{"descriptions":[{"lang":"en","value":"Applications that evaluate XPath against untrusted XML payloads via StreamSource or SAXSource can be exposed to XXE attacks, including confidential file disclosure or server-side request forgery."}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":8.2,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"LOW","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-611","description":"CWE-611: Improper Restriction of XML External Entity Reference","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-06-11T05:04:12.565Z","orgId":"dcf2e128-44bd-42ed-91e8-88f912c1401d","shortName":"vmware"},"references":[{"url":"https://spring.io/security/cve-2026-40998"}],"source":{"discovery":"UNKNOWN"},"title":"Jaxp13 XPath XXE via StreamSource and SAXSource","x_generator":{"engine":"Vulnogram 1.0.1"}}},"cveMetadata":{"assignerOrgId":"dcf2e128-44bd-42ed-91e8-88f912c1401d","assignerShortName":"vmware","cveId":"CVE-2026-40998","datePublished":"2026-06-11T05:04:12.565Z","dateReserved":"2026-04-16T02:19:12.970Z","dateUpdated":"2026-06-11T05:04:12.565Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-11 07:16:27","lastModifiedDate":"2026-06-11 15:21:30","problem_types":["CWE-611","CWE-611 CWE-611: Improper Restriction of XML External Entity Reference"],"metrics":{"cvssMetricV31":[{"source":"security@vmware.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N","baseScore":8.2,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":4.2}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"40998","Ordinal":"1","Title":"Jaxp13 XPath XXE via StreamSource and SAXSource","CVE":"CVE-2026-40998","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"40998","Ordinal":"1","NoteData":"Jaxp13XPathTemplate evaluated XPath expressions for StreamSource and SAXSource inputs using a code path that parsed attacker-controlled XML with the JDK's default DocumentBuilderFactory behavior instead of Spring's hardened parser configuration. Applications that evaluate XPath against untrusted XML payloads could therefore be exposed to XML External Entity (XXE) style attacks.\n\nAffected versions:\nSpring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.","Type":"Description","Title":"Jaxp13 XPath XXE via StreamSource and SAXSource"}]}}}