Shodan
Vulnerabilities
Vulnerable Software
Apache:  >> Cxf  >> 3.5.10  Security Vulnerabilities
CVE-2026-44417
The fix for CVE-2025-48913: Apache CXF: Untrusted JMS configuration can lead to RCE was not complete, meaning that another path in the code might lead to code execution capabilities, if untrusted users are allowed to configure JMS for Apache CXF. Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.
CVSS Score
7.5
EPSS Score
0.002
Published
2026-05-22
CVE-2026-44618
Insecure XML parser configuration in Apache CXF's WS-Transfer module may allow attackers to perform XXE attacks. Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.
CVSS Score
5.3
EPSS Score
0.002
Published
2026-05-22
CVE-2026-44930
An LDAP injection vulnerability in the LDAP Certificate repository of the XKMS server in Apache CXF may allow an attacker to retrieve arbitrary certificates from the repository.  Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.
CVSS Score
9.8
EPSS Score
0.0
Published
2026-05-22
CVE-2025-48913
If untrusted users are allowed to configure JMS for Apache CXF, previously they could use RMI or LDAP URLs, potentially leading to code execution capabilities. This interface is now restricted to reject those protocols, removing this possibility. Users are recommended to upgrade to versions 3.6.8, 4.0.9 or 4.1.3, which fix this issue.
CVSS Score
9.8
EPSS Score
0.004
Published
2025-08-08
CVE-2025-48795
Apache CXF stores large stream based messages as temporary files on the local filesystem. A bug was introduced which means that the entire temporary file is read into memory and then logged. An attacker might be able to exploit this to cause a denial of service attack by causing an out of memory exception. In addition, it is possible to configure CXF to encrypt temporary files to prevent sensitive credentials from being cached unencrypted on the local filesystem, however this bug means that the cached files are written out to logs unencrypted. Users are recommended to upgrade to versions 3.5.11, 3.6.6, 4.0.7 or 4.1.1, which fixes this issue.
CVSS Score
5.6
EPSS Score
0.003
Published
2025-07-15


Products
Pricing
Contact Us

Shodan ® - All rights reserved