org.apache.cxf:cxf-core (Maven) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the Maven package org.apache.cxf:cxf-core, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (12)
CVE-2022-46364 — CVSS 9.8 (critical): A SSRF vulnerability in parsing the href attribute of XOP:Include in MTOM requests in versions of Apache CXF before 3.5.5 and 3.4.10 allows…
CVE-2017-5656 — CVSS 7.5 (high): Apache CXF's STSClient before 3.1.11 and 3.0.13 uses a flawed way of caching tokens that are associated with delegation tokens, which means…
CVE-2016-8739 — CVSS 7.5 (high): The JAX-RS module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 provides a number of Atom JAX-RS MessageBodyReaders. These readers…
CVE-2022-46363 — CVSS 7.5 (high): A vulnerability in Apache CXF before versions 3.5.5 and 3.4.10 allows an attacker to perform a remote directory listing or code…
CVE-2016-6812 — CVSS 6.1 (medium): The HTTP transport module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 uses FormattedServiceListWriter to provide an HTML page…
CVE-2025-23184 — CVSS 5.9 (medium): A potential denial of service vulnerability is present in versions of Apache CXF before 3.5.10, 3.6.5 and 4.0.6. In some edge cases, the…
CVE-2025-48795 — CVSS 5.6 (medium): Apache CXF stores large stream based messages as temporary files on the local filesystem. A bug was introduced which means that the entire…
CVE-2017-12624 — CVSS 5.5 (medium): Apache CXF supports sending and receiving attachments via either the JAX-WS or JAX-RS specifications. It is possible to craft a message…
CVE-2017-5653 — CVSS 5.3 (medium): JAX-RS XML Security streaming clients in Apache CXF before 3.1.11 and 3.0.13 do not validate that the service response was signed or…
CVE-2014-0035 — CVSS 4.3 (medium): The SymmetricBinding in Apache CXF before 2.6.13 and 2.7.x before 2.7.10, when EncryptBeforeSigning is enabled and the UsernameToken policy…
CVE-2014-0110 — CVSS 4.3 (medium): Apache CXF before 2.6.14 and 2.7.x before 2.7.11 allows remote attackers to cause a denial of service (/tmp disk consumption) via a large…
CVE-2014-0109 — CVSS 4.3 (medium): Apache CXF before 2.6.14 and 2.7.x before 2.7.11 allows remote attackers to cause a denial of service (memory consumption) via a large…