Apache cxf

This hub aggregates every CVE we track for Apache cxf, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Apache cxf.

• CVE-2026-50645Apache CXF: No restriction on attachment headers per message7.5Jun 12, 2026
• CVE-2026-50634Apache CXF: WS JSON request filter trusts metadata from an unvalidated first signature entry6.5Jun 12, 2026
• CVE-2026-50633Apache CXF: JNDI Injection vulnerability in DispatchMDBMessageListenerImpl8.1Jun 12, 2026
• CVE-2026-50632Apache CXF: JNDI Injection Vulnerability in JMSConfigFactory8.1Jun 12, 2026
• CVE-2026-50631Apache CXF: OAuth2: TOCTOU Race Condition in Refresh Token Processing7.4Jun 12, 2026
• CVE-2026-50630Apache CXF: OAuth2: HTTP Response Splitting via WWW-Authenticate Realm Injection6.5Jun 12, 2026
• CVE-2026-50629Apache CXF: OAuth2: Log Injection via Unsanitized Client Identifier5.3Jun 12, 2026
• CVE-2026-50628Apache CXF: OAuth2: Inverted IP Binding Check Defeats Security Control9.8Jun 12, 2026
• CVE-2026-50627Apache CXF: OAuth2: Missing JWT Audience and Issuer Validation in Access Token Validator9.1Jun 12, 2026
• CVE-2026-49875Apache CXF: XML External Entity (XXE) Injection in W3CMultiSchemaFactory and EndpointReferenceUtils9.8Jun 12, 2026
• CVE-2026-50623Apache CXF: Authentication Bypass in OAuth2 TokenIntrospectionService4.8Jun 12, 2026
• CVE-2026-44417Apache CXF: Incomplete fix for CVE-2025-48913 (Untrusted JMS configuration can lead to RCE)7.5May 22, 2026
• CVE-2026-44618Apache CXF: XXE vulnerability in WS-Transfer functionality5.3May 22, 2026
• CVE-2026-44930Apache CXF: LDAP Injection vulnerability in XKMS LDAP Repository4.3May 22, 2026
• CVE-2025-48913Apache CXF: Untrusted JMS configuration can lead to RCE9.8Aug 8, 2025