CVE-2026-40998
Awaiting Analysis Awaiting Analysis - Queue

XML External Entity Injection in Spring Web Services

Vulnerability report for CVE-2026-40998, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-11

Last updated on: 2026-06-23

Assigner: VMware

Description

Jaxp13XPathTemplate evaluated XPath expressions for StreamSource and SAXSource inputs using a code path that parsed attacker-controlled XML with the JDK's default DocumentBuilderFactory behavior instead of Spring's hardened parser configuration. Applications that evaluate XPath against untrusted XML payloads could therefore be exposed to XML External Entity (XXE) style attacks. Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-11
Last Modified
2026-06-23
Generated
2026-07-01
AI Q&A
2026-06-11
EPSS Evaluated
2026-06-30
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
vmware spring_web_services From 3.1.0 (inc) to 3.1.8 (inc)
vmware spring_web_services From 4.0.0 (inc) to 4.0.18 (inc)
vmware spring_web_services From 4.1.0 (inc) to 4.1.3 (inc)
vmware spring_web_services From 5.0.0 (inc) to 5.0.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-611 The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability allows attacker-controlled XML to be parsed insecurely, exposing applications to XML External Entity (XXE) attacks. Such attacks could lead to confidential file disclosure or server-side request forgery.

This exposure to unauthorized data access or disclosure could impact compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding sensitive information against unauthorized access.

Therefore, if exploited, this vulnerability could result in violations of these standards due to potential breaches of confidentiality and data security.

Executive Summary

CVE-2026-40998 is a security vulnerability in certain versions of Spring Web Services involving the Jaxp13XPathTemplate component.

This component evaluates XPath expressions for StreamSource and SAXSource inputs using the JDK's default DocumentBuilderFactory behavior instead of Spring's hardened parser configuration.

As a result, attacker-controlled XML can be parsed with insecure settings, exposing applications to XML External Entity (XXE) attacks.

These XXE attacks can allow attackers to disclose confidential files or perform server-side request forgery depending on the parser and platform behavior.

Impact Analysis

If your application evaluates XPath expressions against untrusted XML payloads using the affected versions of Spring Web Services, it could be vulnerable to XXE attacks.

  • Confidential file disclosure: Attackers may access sensitive files on the server.
  • Server-side request forgery (SSRF): Attackers may cause the server to make unauthorized requests.

These impacts can lead to data breaches, unauthorized access, and potential compromise of the server environment.

Mitigation Strategies

The recommended mitigation is to upgrade to the fixed versions of Spring Web Services.

  • Upgrade to 5.0.2 (OSS) or 5.0.1.1 (Enterprise Support Only) for 5.0.x versions.
  • Upgrade to 4.1.4 (OSS) or 4.1.3.1 (Enterprise Support Only) for 4.1.x versions.
  • Upgrade to 4.0.19 (Enterprise Support Only) for 4.0.x versions.
  • Upgrade to 3.1.9 (Enterprise Support Only) for 3.1.x versions.

No additional mitigation steps are necessary after upgrading.

Detection Guidance

This vulnerability involves the use of Jaxp13XPathTemplate evaluating XPath expressions with the JDK's default DocumentBuilderFactory behavior instead of Spring's hardened parser configuration, exposing applications to XXE attacks when processing untrusted XML payloads.

Detection typically involves identifying if your system is running an affected version of Spring Web Services (versions 3.1.0 through 3.1.8, 4.0.0 through 4.0.18, 4.1.0 through 4.1.3, or 5.0.0 through 5.0.1) and if your application evaluates XPath expressions on untrusted XML inputs using Jaxp13XPathTemplate.

Since the vulnerability is related to XML parsing behavior, network detection might involve monitoring for suspicious XML payloads that attempt XXE exploitation patterns.

No specific detection commands or scanning tools are provided in the available resources.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40998. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart