CVE-2026-40998
Received Received - Intake
XML External Entity Injection in Spring Web Services

Publication date: 2026-06-11

Last updated on: 2026-06-11

Assigner: VMware

Description
Jaxp13XPathTemplate evaluated XPath expressions for StreamSource and SAXSource inputs using a code path that parsed attacker-controlled XML with the JDK's default DocumentBuilderFactory behavior instead of Spring's hardened parser configuration. Applications that evaluate XPath against untrusted XML payloads could therefore be exposed to XML External Entity (XXE) style attacks. Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-11
Last Modified
2026-06-11
Generated
2026-06-11
AI Q&A
2026-06-11
EPSS Evaluated
N/A
NVD
CVE-2026-40998
EUVD
EUVD-2026-36208
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
vmware spring_web_services From 3.1.0 (inc) to 3.1.8 (inc)
vmware spring_web_services From 4.0.0 (inc) to 4.0.18 (inc)
vmware spring_web_services From 4.1.0 (inc) to 4.1.3 (inc)
vmware spring_web_services From 5.0.0 (inc) to 5.0.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-611 The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-40998 is a security vulnerability in certain versions of Spring Web Services involving the Jaxp13XPathTemplate component.

This component evaluates XPath expressions for StreamSource and SAXSource inputs using the JDK's default DocumentBuilderFactory behavior instead of Spring's hardened parser configuration.

As a result, attacker-controlled XML can be parsed with insecure settings, exposing applications to XML External Entity (XXE) attacks.

These XXE attacks can allow attackers to disclose confidential files or perform server-side request forgery depending on the parser and platform behavior.

Compliance Impact

The vulnerability allows attacker-controlled XML to be parsed insecurely, exposing applications to XML External Entity (XXE) attacks. Such attacks could lead to confidential file disclosure or server-side request forgery.

This exposure to unauthorized data access or disclosure could impact compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding sensitive information against unauthorized access.

Therefore, if exploited, this vulnerability could result in violations of these standards due to potential breaches of confidentiality and data security.

Impact Analysis

If your application evaluates XPath expressions against untrusted XML payloads using the affected versions of Spring Web Services, it could be vulnerable to XXE attacks.

  • Confidential file disclosure: Attackers may access sensitive files on the server.
  • Server-side request forgery (SSRF): Attackers may cause the server to make unauthorized requests.

These impacts can lead to data breaches, unauthorized access, and potential compromise of the server environment.

Mitigation Strategies

The recommended mitigation is to upgrade to the fixed versions of Spring Web Services.

  • Upgrade to 5.0.2 (OSS) or 5.0.1.1 (Enterprise Support Only) for 5.0.x versions.
  • Upgrade to 4.1.4 (OSS) or 4.1.3.1 (Enterprise Support Only) for 4.1.x versions.
  • Upgrade to 4.0.19 (Enterprise Support Only) for 4.0.x versions.
  • Upgrade to 3.1.9 (Enterprise Support Only) for 3.1.x versions.

No additional mitigation steps are necessary after upgrading.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40998. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart