PatchSiren cyber security CVE debrief
CVE-2026-40998 Spring CVE debrief
CVE-2026-40998 is a vulnerability in Spring Web Services that allows for XML External Entity (XXE) style attacks. The Jaxp13XPathTemplate evaluated XPath expressions for StreamSource and SAXSource inputs using a code path that parsed attacker-controlled XML with the JDK's default DocumentBuilderFactory behavior instead of Spring's hardened parser configuration. This vulnerability affects Spring Web Services versions 5.0.0 through 5.0.1, 4.1.0 through 4.1.3, 4.0.0 through 4.0.18, and 3.1.0 through 3.1.8.
- Vendor
- Spring
- Product
- Spring Web Services
- CVSS
- HIGH 8.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-11
- Original CVE updated
- 2026-06-11
- Advisory published
- 2026-06-11
- Advisory updated
- 2026-06-11
Who should care
Developers and administrators of applications using affected versions of Spring Web Services should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability is caused by the Jaxp13XPathTemplate using a code path that parses attacker-controlled XML with the JDK's default DocumentBuilderFactory behavior instead of Spring's hardened parser configuration. This allows for XXE style attacks, which can lead to information disclosure, denial of service, or other malicious activities.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade to a non-affected version of Spring Web Services.
- Implement additional security measures to protect against XXE style attacks, such as validating and sanitizing user input.
Evidence notes
The CVE-2026-40998 vulnerability has a CVSS score of 8.2 and is classified as HIGH severity. The vulnerability was published on June 11, 2026, and last modified on June 11, 2026.
Official resources
-
CVE-2026-40998 CVE record
CVE.org
-
CVE-2026-40998 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-40998 was published on [cvePublishedAt] and last modified on [cveModifiedAt].