Org.apache.cxf:cxf-core
This hub aggregates every CVE we track for Org.apache.cxf:cxf-core, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.
12
CVEs tracked
1
Critical
3
High
0
In CISA KEV
Severity distribution
MEDIUM8HIGH3CRITICAL1
Monthly trend
0
0
0
0
0
0
1
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
2024-072026-06
Latest CVEs
The 12 most recently published vulnerabilities affecting Org.apache.cxf:cxf-core.
- CVE-2025-48795Apache CXF: Denial of Service and sensitive data exposure in logs5.6
- CVE-2025-23184Apache CXF: Denial of Service vulnerability with temporary files5.9
- CVE-2022-46364Apache CXF SSRF Vulnerability9.8
- CVE-2022-46363Apache CXF directory listing / code exfiltration7.5
- CVE-2017-12624Apache CXF supports sending and receiving attachments via either the JAX-WS or JAX-RS specifications. It is possible to craft a message attachment header that could lead to a Denial of Service (DoS...5.5
- CVE-2016-8739The JAX-RS module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 provides a number of Atom JAX-RS MessageBodyReaders. These readers use Apache Abdera Parser which expands XML entities by de...7.5
- CVE-2016-6812The HTTP transport module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 uses FormattedServiceListWriter to provide an HTML page which lists the names and absolute URL addresses of the avai...6.1
- CVE-2017-5653JAX-RS XML Security streaming clients in Apache CXF before 3.1.11 and 3.0.13 do not validate that the service response was signed or encrypted, which allows remote attackers to spoof servers.5.3
- CVE-2017-5656Apache CXF's STSClient before 3.1.11 and 3.0.13 uses a flawed way of caching tokens that are associated with delegation tokens, which means that an attacker could craft a token which would return a...7.5
- CVE-2014-0035The SymmetricBinding in Apache CXF before 2.6.13 and 2.7.x before 2.7.10, when EncryptBeforeSigning is enabled and the UsernameToken policy is set to an EncryptedSupportingToken, transmits the User...4.3
- CVE-2014-0109Apache CXF before 2.6.14 and 2.7.x before 2.7.11 allows remote attackers to cause a denial of service (memory consumption) via a large request with the Content-Type set to text/html to a SOAP endpo...4.3
- CVE-2014-0110Apache CXF before 2.6.14 and 2.7.x before 2.7.11 allows remote attackers to cause a denial of service (/tmp disk consumption) via a large invalid SOAP message.4.3
Product normalization is registry-driven with AI assist and human review. How it works