CVE-2026-40998 - Vulnerability Details - OpenCVE

Jaxp13XPathTemplate evaluated XPath expressions for StreamSource and SAXSource inputs using a code path that parsed attacker-controlled XML with the JDK's default DocumentBuilderFactory behavior instead of Spring's hardened parser configuration. Applications that evaluate XPath against untrusted XML payloads could therefore be exposed to XML External Entity (XXE) style attacks. Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

No data.

References

Link	Providers
https://spring.io/security/cve-2026-40998

History

Thu, 11 Jun 2026 06:45:00 +0000

Type	Values Removed	Values Added
Description		Jaxp13XPathTemplate evaluated XPath expressions for StreamSource and SAXSource inputs using a code path that parsed attacker-controlled XML with the JDK's default DocumentBuilderFactory behavior instead of Spring's hardened parser configuration. Applications that evaluate XPath against untrusted XML payloads could therefore be exposed to XML External Entity (XXE) style attacks. Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.
Title		Jaxp13 XPath XXE via StreamSource and SAXSource
Weaknesses		CWE-611
References		https://spring.io/security/cve-2026-40998
Metrics		cvssV3_1 `{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}`

MITRE

Status: PUBLISHED

Assigner: vmware

Published: 2026-06-11T05:04:12.565Z

Updated: 2026-06-11T05:04:12.565Z

Reserved: 2026-04-16T02:19:12.970Z

Link: CVE-2026-40998

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-06-11T07:16:27.787

Modified: 2026-06-11T07:16:27.787

Link: CVE-2026-40998

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40998", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "state": "PUBLISHED", "assignerShortName": "vmware", "dateReserved": "2026-04-16T02:19:12.970Z", "datePublished": "2026-06-11T05:04:12.565Z", "dateUpdated": "2026-06-11T05:04:12.565Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2026-06-11T05:04:12.565Z"}, "title": "Jaxp13 XPath XXE via StreamSource and SAXSource", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-611", "description": "CWE-611: Improper Restriction of XML External Entity Reference", "type": "CWE"}]}], "impacts": [{"descriptions": [{"lang": "en", "value": "Applications that evaluate XPath against untrusted XML payloads via StreamSource or SAXSource can be exposed to XXE attacks, including confidential file disclosure or server-side request forgery."}]}], "affected": [{"vendor": "Spring", "product": "Spring Web Services", "defaultStatus": "unaffected", "versions": [{"status": "affected", "version": "5.0.0", "lessThan": "5.0.2", "versionType": "custom"}, {"status": "affected", "version": "4.1.0", "lessThan": "4.1.4", "versionType": "custom"}, {"status": "affected", "version": "4.0.0", "lessThan": "4.0.19", "versionType": "custom"}, {"status": "affected", "version": "3.1.0", "lessThan": "3.1.9", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Jaxp13XPathTemplate evaluated XPath expressions for StreamSource and SAXSource inputs using a code path that parsed attacker-controlled XML with the JDK's default DocumentBuilderFactory behavior instead of Spring's hardened parser configuration. Applications that evaluate XPath against untrusted XML payloads could therefore be exposed to XML External Entity (XXE) style attacks.\n\nAffected versions:\nSpring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Jaxp13XPathTemplate evaluated XPath expressions for StreamSource and SAXSource inputs using a code path that parsed attacker-controlled XML with the JDK's default DocumentBuilderFactory behavior instead of Spring's hardened parser configuration. Applications that evaluate XPath against untrusted XML payloads could therefore be exposed to XML External Entity (XXE) style attacks.\n\nAffected versions:\nSpring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8."}]}], "references": [{"url": "https://spring.io/security/cve-2026-40998"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}}}