{"document":{"category":"csaf_vex","csaf_version":"2.0","title":"CVE-2026-40998: Jaxp13 XPath XXE via StreamSource and SAXSource","publisher":{"category":"vendor","name":"HarborGuard Database","namespace":"https://database.harborguard.co"},"tracking":{"id":"CVE-2026-40998","status":"final","version":"1","initial_release_date":"2026-06-11T05:04:12.565Z","current_release_date":"2026-06-11T16:13:57.138Z","revision_history":[{"date":"2026-06-11T05:04:12.565Z","number":"1","summary":"Initial machine-readable export from HarborGuard."}]},"distribution":{"tlp":{"label":"WHITE"},"text":"Public CVE data; freely redistributable."},"notes":[{"category":"description","text":"Jaxp13XPathTemplate evaluated XPath expressions for StreamSource and SAXSource inputs using a code path that parsed attacker-controlled XML with the JDK's default DocumentBuilderFactory behavior instead of Spring's hardened parser configuration. Applications that evaluate XPath against untrusted XML payloads could therefore be exposed to XML External Entity (XXE) style attacks.\n\nAffected versions:\nSpring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.","title":"CVE description"}],"references":[{"category":"self","summary":"CVE-2026-40998 on HarborGuard Database","url":"https://database.harborguard.co/cve/CVE-2026-40998"},{"category":"external","summary":"CVE Record","url":"https://www.cve.org/CVERecord?id=CVE-2026-40998"},{"category":"external","summary":"spring.io","url":"https://spring.io/security/cve-2026-40998"}]},"product_tree":{"branches":[{"category":"vendor","name":"Spring","branches":[{"category":"product_name","name":"Spring Web Services","branches":[{"category":"product_version_range","name":">=5.0.0 <5.0.2","product":{"name":"Spring Spring Web Services >=5.0.0 <5.0.2","product_id":"CSAFPID-1","product_identification_helper":{"cpe":"cpe:2.3:a:spring:spring_web_services:*:*:*:*:*:*:*:*"}}},{"category":"product_version_range","name":">=4.1.0 <4.1.4","product":{"name":"Spring Spring Web Services >=4.1.0 <4.1.4","product_id":"CSAFPID-2","product_identification_helper":{"cpe":"cpe:2.3:a:spring:spring_web_services:*:*:*:*:*:*:*:*"}}},{"category":"product_version_range","name":">=4.0.0 <4.0.19","product":{"name":"Spring Spring Web Services >=4.0.0 <4.0.19","product_id":"CSAFPID-3","product_identification_helper":{"cpe":"cpe:2.3:a:spring:spring_web_services:*:*:*:*:*:*:*:*"}}},{"category":"product_version_range","name":">=3.1.0 <3.1.9","product":{"name":"Spring Spring Web Services >=3.1.0 <3.1.9","product_id":"CSAFPID-4","product_identification_helper":{"cpe":"cpe:2.3:a:spring:spring_web_services:*:*:*:*:*:*:*:*"}}}]}]}]},"vulnerabilities":[{"cve":"CVE-2026-40998","title":"Jaxp13 XPath XXE via StreamSource and SAXSource","notes":[{"category":"description","text":"Jaxp13XPathTemplate evaluated XPath expressions for StreamSource and SAXSource inputs using a code path that parsed attacker-controlled XML with the JDK's default DocumentBuilderFactory behavior instead of Spring's hardened parser configuration. Applications that evaluate XPath against untrusted XML payloads could therefore be exposed to XML External Entity (XXE) style attacks.\n\nAffected versions:\nSpring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.","title":"CVE description"}],"product_status":{"known_affected":["CSAFPID-1","CSAFPID-2","CSAFPID-3","CSAFPID-4"]},"scores":[{"cvss_v3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N","baseScore":8.2,"baseSeverity":"HIGH"},"products":["CSAFPID-1","CSAFPID-2","CSAFPID-3","CSAFPID-4"]}],"remediations":[{"category":"vendor_fix","details":"Update to a fixed version: 3.1.9, 4.0.19, 4.1.4, 5.0.2.","product_ids":["CSAFPID-1","CSAFPID-2","CSAFPID-3","CSAFPID-4"]}]}]}