CVE-2026-40998: CWE-611: Improper Restriction of XML External Entity Reference in Spring Spring Web Services
Jaxp13XPathTemplate evaluated XPath expressions for StreamSource and SAXSource inputs using a code path that parsed attacker-controlled XML with the JDK's default DocumentBuilderFactory behavior instead of Spring's hardened parser configuration. Applications that evaluate XPath against untrusted XML payloads could therefore be exposed to XML External Entity (XXE) style attacks. Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.
AI Analysis
Technical Summary
The vulnerability arises because Jaxp13XPathTemplate evaluates XPath expressions for StreamSource and SAXSource inputs using a code path that relies on the JDK's default DocumentBuilderFactory behavior rather than Spring's hardened parser configuration. This allows attacker-controlled XML to trigger XML External Entity (XXE) attacks when applications evaluate XPath against untrusted XML payloads. The affected versions include Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; and 3.1.0 through 3.1.8.
Potential Impact
Successful exploitation can lead to disclosure of confidential information due to XML External Entity processing. The CVSS v3.1 score of 8.2 reflects high impact on confidentiality with no required privileges or user interaction. Integrity impact is low and availability is not affected.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or temporary workaround is provided in the available data. Until a patch is available, avoid evaluating XPath expressions against untrusted XML inputs or apply custom hardened XML parser configurations to prevent XXE attacks.
CVE-2026-40998: CWE-611: Improper Restriction of XML External Entity Reference in Spring Spring Web Services
Description
Jaxp13XPathTemplate evaluated XPath expressions for StreamSource and SAXSource inputs using a code path that parsed attacker-controlled XML with the JDK's default DocumentBuilderFactory behavior instead of Spring's hardened parser configuration. Applications that evaluate XPath against untrusted XML payloads could therefore be exposed to XML External Entity (XXE) style attacks. Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.
CVSS v3.1
Score 8.2high
Affected software
pkg:maven/org.springframework.ws/spring-ws-coreRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability arises because Jaxp13XPathTemplate evaluates XPath expressions for StreamSource and SAXSource inputs using a code path that relies on the JDK's default DocumentBuilderFactory behavior rather than Spring's hardened parser configuration. This allows attacker-controlled XML to trigger XML External Entity (XXE) attacks when applications evaluate XPath against untrusted XML payloads. The affected versions include Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; and 3.1.0 through 3.1.8.
Potential Impact
Successful exploitation can lead to disclosure of confidential information due to XML External Entity processing. The CVSS v3.1 score of 8.2 reflects high impact on confidentiality with no required privileges or user interaction. Integrity impact is low and availability is not affected.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or temporary workaround is provided in the available data. Until a patch is available, avoid evaluating XPath expressions against untrusted XML inputs or apply custom hardened XML parser configurations to prevent XXE attacks.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- vmware
- Date Reserved
- 2026-04-16T02:19:12.970Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a2a59ba318757064921d3b9
Added to database: 6/11/2026, 6:46:18 AM
Last enriched: 6/11/2026, 7:01:04 AM
Last updated: 6/11/2026, 10:39:15 AM
Views: 16
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.