Description
Jaxp13XPathTemplate evaluated XPath expressions for StreamSource and SAXSource inputs using a code path that parsed attacker-controlled XML with the JDK's default DocumentBuilderFactory behavior instead of Spring's hardened parser configuration. Applications that evaluate XPath against untrusted XML payloads could therefore be exposed to XML External Entity (XXE) style attacks.

Affected versions:
Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.
Published: 2026-06-11
Score: 8.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is an XML External Entity (XXE) weakness (CWE‑611) in the JAXP XPath evaluation path used by Spring Web Services. When evaluating XPath expressions over StreamSource or SAXSource objects, the code accidentally parsed the attacker‑controlled XML with the JDK’s default DocumentBuilderFactory settings, which permit external entity resolution. This behavior allows an adversary to inject malicious XML that can reference internal files, trigger network calls, or otherwise cause data disclosure or denial of service during XPath processing.

Affected Systems

Spring Web Services is affected. The vulnerability exists in the following release ranges: 3.1.0‑3.1.8, 4.0.0‑4.0.18, 4.1.0‑4.1.3, and 5.0.0‑5.0.1. No other releases are listed as affected in the CVE information, so later versions are not confirmed as vulnerable.

Risk and Exploitability

The CVSS score of 8.2 indicates high severity. The vulnerability is not listed in the CISA KEV catalog, suggesting no widely known public exploits yet. The likely attack vector is remote, as the vulnerability is triggered when a Spring application receives XML payloads that it evaluates with XPath. Successful exploitation could enable attackers to read sensitive files, exfiltrate data, or trigger a denial of service under suitable circumstances.

Generated by OpenCVE AI on June 11, 2026 at 08:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest available patch for Spring Web Services (versions 5.0.2+, 4.1.4+, 4.0.19+, or 3.1.9+).
  • Configure Spring’s XML parser to disable external entity resolution by setting the DocumentBuilderFactory features, e.g., javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING to true and disallow-doctype-decl to true.
  • Sanitize and validate any incoming XML payloads to ensure they contain only allowed namespaces and do not include external entity declarations.
  • As an additional control, limit the network endpoints and file system paths that the application can access during XPath evaluation.

Generated by OpenCVE AI on June 11, 2026 at 08:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://spring.io/security/cve-2026-40998 cve-icon cve-icon
History

Thu, 11 Jun 2026 06:45:00 +0000

Type Values Removed Values Added
Description Jaxp13XPathTemplate evaluated XPath expressions for StreamSource and SAXSource inputs using a code path that parsed attacker-controlled XML with the JDK's default DocumentBuilderFactory behavior instead of Spring's hardened parser configuration. Applications that evaluate XPath against untrusted XML payloads could therefore be exposed to XML External Entity (XXE) style attacks. Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.
Title Jaxp13 XPath XXE via StreamSource and SAXSource
Weaknesses CWE-611
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-06-11T05:04:12.565Z

Reserved: 2026-04-16T02:19:12.970Z

Link: CVE-2026-40998

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-11T07:16:27.787

Modified: 2026-06-11T07:16:27.787

Link: CVE-2026-40998

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T08:30:06Z

Weaknesses