Vulnerability intelligence
CVE-2026-40998
Jaxp13XPathTemplate evaluated XPath expressions for StreamSource and SAXSource inputs using a code path that parsed attacker-controlled XML with the JDK's default DocumentBuilderFactory behavior instead of Spring's hardened parser configuration. Applications that evaluate XPath against untrusted XML payloads could therefore be exposed to XML External Entity (XXE) style attacks. Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.
CVSS Score
8.2
High
EPSS — Exploit Probability
0.0%
Riskier than 11% of all CVEs
Exploitation
Not in CISA KEV
No federal exploitation record
Remediation
unknown
Check vendor advisories
1 article across 1 outlet · first covered Jun 12, 2026 · latest Jun 12, 2026
Tracked incidents
Coverage timeline
-
Spring Framework Patches Critical Flaws, Urges Immediate Upgradesecurityonline.info · Jun 12, 2026