Every CVE whose affected-product data names Apache Cxf, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (57)
CVE-2012-2379 — CVSS 10.0 (critical): Apache CXF 2.4.x before 2.4.8, 2.5.x before 2.5.4, and 2.6.x before 2.6.1, when a Supporting Token specifies a child WS-SecurityPolicy 1.1…
CVE-2012-0803 — CVSS 9.8 (critical): The WS-SP UsernameToken policy in Apache CXF 2.4.5 and 2.5.1 allows remote attackers to bypass authentication by sending an empty…
CVE-2010-2076 — CVSS 9.8 (critical): Apache CXF 2.0.x before 2.0.13, 2.1.x before 2.1.10, and 2.2.x before 2.2.9, as used in Apache ServiceMix, Apache Camel, Apache Chemistry…
CVE-2026-50628 — CVSS 9.8 (critical): A logic error in OAuthRequestFilter rejects legitimate requests originating from the bound IP address, while blindly allowing requests from…
CVE-2026-49875 — CVSS 9.8 (critical): Apache CXF's EndpointReferenceUtils and W3CMultiSchemaFactory classes construct a SAXParserFactory without the necessary JAXP hardening…
CVE-2026-44930 — CVSS 9.8 (critical): An LDAP injection vulnerability in the LDAP Certificate repository of the XKMS server in Apache CXF may allow an attacker to retrieve…
CVE-2025-48913 — CVSS 9.8 (critical): If untrusted users are allowed to configure JMS for Apache CXF, previously they could use RMI or LDAP URLs, potentially leading to code…
CVE-2022-46364 — CVSS 9.8 (critical): A SSRF vulnerability in parsing the href attribute of XOP:Include in MTOM requests in versions of Apache CXF before 3.5.5 and 3.4.10 allows…
CVE-2019-12419 — CVSS 9.8 (critical): Apache CXF before 3.3.4 and 3.2.11 provides all of the components that are required to build a fully fledged OpenId Connect service. There…
CVE-2024-28752 — CVSS 9.3 (critical): A SSRF vulnerability using the Aegis DataBinding in versions of Apache CXF before 4.0.4, 3.6.3 and 3.5.8 allows an attacker to perform SSRF…
CVE-2026-50627 — CVSS 9.1 (critical): The JwtAccessTokenValidator class in Apache CXF fails to validate the 'aud' (Audience) claims of incoming JWT access tokens. This allows a…
CVE-2024-29736 — CVSS 9.1 (critical): A SSRF vulnerability in WADL service description in versions of Apache CXF before 4.0.5, 3.6.4 and 3.5.9 allows an attacker to perform SSRF…
CVE-2026-50632 — CVSS 8.1 (high): A further incomplete fix for a previous advisory CVE-2026-44417 (Untrusted JMS configuration can lead to RCE) for Apache CXF has been…
CVE-2026-50633 — CVSS 8.1 (high): A JNDI Injection vulnerability has been discovered in Apache CXF's JCA integration module, which can allow for code execution, if an…
CVE-2018-8039 — CVSS 8.1 (high): It is possible to configure Apache CXF to use the com.sun.net.ssl implementation via 'System.setProperty("java.protocol.handler.pkgs"…
CVE-2017-3156 — CVSS 7.5 (high): The OAuth2 Hawk and JOSE MAC Validation code in Apache CXF prior to 3.0.13 and 3.1.x prior to 3.1.10 is not using a constant time MAC…
CVE-2016-8739 — CVSS 7.5 (high): The JAX-RS module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 provides a number of Atom JAX-RS MessageBodyReaders. These readers…
CVE-2017-5656 — CVSS 7.5 (high): Apache CXF's STSClient before 3.1.11 and 3.0.13 uses a flawed way of caching tokens that are associated with delegation tokens, which means…
CVE-2019-12423 — CVSS 7.5 (high): Apache CXF ships with a OpenId Connect JWK Keys service, which allows a client to obtain the public keys in JWK format, which can then be…
CVE-2021-22696 — CVSS 7.5 (high): CXF supports (via JwtRequestCodeFilter) passing OAuth 2 parameters via a JWT token as opposed to query parameters (see: The OAuth 2.0…
CVE-2021-30468 — CVSS 7.5 (high): A vulnerability in the JsonMapObjectReaderWriter of Apache CXF allows an attacker to submit malformed JSON to a web service, which results…
CVE-2021-40690 — CVSS 7.5 (high): All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation"…
CVE-2022-46363 — CVSS 7.5 (high): A vulnerability in Apache CXF before versions 3.5.5 and 3.4.10 allows an attacker to perform a remote directory listing or code…
CVE-2024-32007 — CVSS 7.5 (high): An improper input validation of the p2c parameter in the Apache CXF JOSE code before 4.0.5, 3.6.4 and 3.5.9 allows an attacker to perform a…
CVE-2024-41172 — CVSS 7.5 (high): In versions of Apache CXF before 3.6.4 and 4.0.5 (3.5.x and lower versions are not impacted), a CXF HTTP client conduit may prevent…
CVE-2026-44417 — CVSS 7.5 (high): The fix for CVE-2025-48913: Apache CXF: Untrusted JMS configuration can lead to RCE was not complete, meaning that another path in the code…
CVE-2026-50645 — CVSS 7.5 (high): There is no restriction on the amount of attachment headers that a message can contain when being deserialized by Apache CXF, which can…
CVE-2026-50631 — CVSS 7.4 (high): A race condition in AbstractOAuthDataProvider allows concurrent requests using the same Refresh Token to bypass single-use semantics and…
CVE-2019-12406 — CVSS 6.5 (medium): Apache CXF before 3.3.4 and 3.2.11 does not restrict the number of message attachments present in a given message. This leaves open the…
CVE-2026-50634 — CVSS 6.5 (medium): A vulnerability in Apache CXF's JwsJsonContainerRequestFilter can be exploited to cause CXF to process metadata that was not authenticated…
CVE-2026-50630 — CVSS 6.5 (medium): A CRLF injection vulnerability exists in the OAuth2 AuthorizationUtils class. When constructing the WWW-Authenticate response header, the…
CVE-2012-5575 — CVSS 6.4 (medium): Apache CXF 2.5.x before 2.5.10, 2.6.x before CXF 2.6.7, and 2.7.x before CXF 2.7.4 does not verify that a specified cryptographic algorithm…
CVE-2019-17573 — CVSS 6.1 (medium): By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is…
CVE-2016-6812 — CVSS 6.1 (medium): The HTTP transport module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 uses FormattedServiceListWriter to provide an HTML page…
CVE-2020-13954 — CVSS 6.1 (medium): By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is…
CVE-2011-2487 — CVSS 5.9 (medium): The implementations of PKCS#1 v1.5 key transport mechanism for XMLEncryption in JBossWS and Apache WSS4J before 1.6.5 is susceptible to a…
CVE-2025-23184 — CVSS 5.9 (medium): A potential denial of service vulnerability is present in versions of Apache CXF before 3.5.10, 3.6.5 and 4.0.6. In some edge cases, the…
CVE-2012-5633 — CVSS 5.8 (medium): The URIMappingInterceptor in Apache CXF before 2.5.8, 2.6.x before 2.6.5, and 2.7.x before 2.7.2, when using the WSS4JInInterceptor…
CVE-2012-5786 — CVSS 5.8 (medium): The wsdl_first_https sample code in distribution/src/main/release/samples/wsdl_first_https/src/main/ in Apache CXF before 2.7.0 does not…
CVE-2025-48795 — CVSS 5.6 (medium): Apache CXF stores large stream based messages as temporary files on the local filesystem. A bug was introduced which means that the entire…
CVE-2017-12624 — CVSS 5.5 (medium): Apache CXF supports sending and receiving attachments via either the JAX-WS or JAX-RS specifications. It is possible to craft a message…
CVE-2017-5653 — CVSS 5.3 (medium): JAX-RS XML Security streaming clients in Apache CXF before 3.1.11 and 3.0.13 do not validate that the service response was signed or…
CVE-2026-50629 — CVSS 5.3 (medium): The 'clientId' parameter from incoming HTTP requests is directly concatenated into OAuth2 server log warning messages without sanitizing…
CVE-2020-1954 — CVSS 5.3 (medium): Apache CXF has the ability to integrate with JMX by registering an InstrumentationManager extension with the CXF bus. If the…
CVE-2026-44618 — CVSS 5.3 (medium): Insecure XML parser configuration in Apache CXF's WS-Transfer module may allow attackers to perform XXE attacks. Users are recommended to…
CVE-2013-0239 — CVSS 5.0 (medium): Apache CXF before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3, when the plaintext UsernameToken WS-SecurityPolicy is enabled, allows…
CVE-2013-2160 — CVSS 5.0 (medium): The streaming XML parser in Apache CXF 2.5.x before 2.5.10, 2.6.x before 2.6.7, and 2.7.x before 2.7.4 allows remote attackers to cause a…
CVE-2014-3623 — CVSS 5.0 (medium): Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF 2.7.x before 2.7.13 and 3.0.x before 3.0.2, when using…
CVE-2014-3584 — CVSS 5.0 (medium): The SamlHeaderInHandler in Apache CXF before 2.6.11, 2.7.x before 2.7.8, and 3.0.x before 3.0.1 allows remote attackers to cause a denial…
CVE-2026-50623 — CVSS 4.8 (medium): An authentication bypass vulnerability exists in the OAuth2 TokenIntrospectionService in Apache CXF. Due to a missing 'throw' keyword in…
CVE-2014-0034 — CVSS 4.3 (medium): The SecurityTokenService (STS) in Apache CXF before 2.6.12 and 2.7.x before 2.7.9 does not properly validate SAML tokens when caching is…
CVE-2014-0109 — CVSS 4.3 (medium): Apache CXF before 2.6.14 and 2.7.x before 2.7.11 allows remote attackers to cause a denial of service (memory consumption) via a large…
CVE-2014-0035 — CVSS 4.3 (medium): The SymmetricBinding in Apache CXF before 2.6.13 and 2.7.x before 2.7.10, when EncryptBeforeSigning is enabled and the UsernameToken policy…
CVE-2014-0110 — CVSS 4.3 (medium): Apache CXF before 2.6.14 and 2.7.x before 2.7.11 allows remote attackers to cause a denial of service (/tmp disk consumption) via a large…
CVE-2012-3451 — CVSS 4.3 (medium): Apache CXF before 2.4.9, 2.5.x before 2.5.5, and 2.6.x before 2.6.2 allows remote attackers to execute unintended web-service operations by…
CVE-2012-2378 — CVSS 4.3 (medium): Apache CXF 2.4.5 through 2.4.7, 2.5.1 through 2.5.3, and 2.6.x before 2.6.1, does not properly enforce child policies of a…
CVE-2015-5253 — CVSS 4.0 (medium): The SAML Web SSO module in Apache CXF before 2.7.18, 3.0.x before 3.0.7, and 3.1.x before 3.1.3 allows remote authenticated users to bypass…