COOEY // HUBcompliance · community · intelligence

FAIL › dossier

cxf product

4
failure events
0
zero-days
0
RCEs
0
on KEV
4
critical
35
worst shame

Dossier not yet built — the RAG curator builds one for players with ≥2 failure events (factory/dossier.py). The failure history and sentiment below are live.

Failure history 4 events

DateEventSevFlagsShameSummary
2026-06-12 CVE-2026-49875 critical 35 Apache CXF's EndpointReferenceUtils and W3CMultiSchemaFactory classes construct a SAXParserFactory without the necessary JAXP hardening configurations, enabling out-of-band (OOB) external entity resolution. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fix t
2026-06-12 CVE-2026-50627 critical 35 The JwtAccessTokenValidator class in Apache CXF fails to validate the 'aud' (Audience) claims of incoming JWT access tokens. This allows a JWT issued for one Resource Server to be successfully replayed against a completely different Resource Server, leading to Token Confusion/Rou
2026-06-12 CVE-2026-50628 critical 35 A logic error in OAuthRequestFilter rejects legitimate requests originating from the bound IP address, while blindly allowing requests from any other IP address. Enabling this security feature inadvertently creates an inverse security check. Users are recommended to upgrade to v
2026-05-22 CVE-2026-44930 critical 35 An LDAP injection vulnerability in the LDAP Certificate repository of the XKMS server in Apache CXF may allow an attacker to retrieve arbitrary certificates from the repository.  Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.