Author: buildbot
Date: Fri May 22 10:43:09 2026
New Revision: 1093054
Log:
Production update by buildbot for cxf
Added:
websites/production/cxf/content/security-advisories.data/CVE-2026-44417.txt
websites/production/cxf/content/security-advisories.data/CVE-2026-44618.txt
websites/production/cxf/content/security-advisories.data/CVE-2026-44930.txt
Modified:
websites/production/cxf/content/cache/main.pageCache
websites/production/cxf/content/download.html
websites/production/cxf/content/index.html
websites/production/cxf/content/security-advisories.html
Modified: websites/production/cxf/content/cache/main.pageCache
==============================================================================
Binary file (source and/or target). No diff available.
Modified: websites/production/cxf/content/download.html
==============================================================================
--- websites/production/cxf/content/download.html Fri May 22 00:47:06
2026 (r1093053)
+++ websites/production/cxf/content/download.html Fri May 22 10:43:09
2026 (r1093054)
@@ -108,7 +108,7 @@ Apache CXF -- Download
<td height="100%">
<!-- Content -->
<div class="wiki-content">
-<div id="ConfluenceContent"><h1 id="Download-Releases">Releases</h1><h2
id="Download-4.2.1">4.2.1</h2><p>The 4.2.1 is our release to feature Jakarta EE
11 support and JDK-17 baseline. For a complete list of new features, API
changes, etc... please see the <a shape="rect"
href="cxf-421-release-notes.html">release notes</a> and <a shape="rect"
href="https://cxf.apache.org/docs/42-migration-guide.html";>migration guide</a>.
This release has dependency on alpha releases of Undertow project and as such
Undertow integration may not be stable.</p><div class="table-wrap"><table
class="wrapped confluenceTable"><colgroup span="1"><col span="1"><col
span="1"><col span="1"><col span="1"></colgroup><tbody><tr><th colspan="1"
rowspan="1" class="confluenceTh"><p>Description</p></th><th colspan="1"
rowspan="1" class="confluenceTh"><p>File</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>sha256</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>PGP</p></th></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><p>Source distribution</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link"
href="https://www.apache.org/dyn/closer.lua/cxf/4.2.1/apache-cxf-4.2.1-src.tar.gz";>apache-cxf-4.2.1-src.tar.gz</a></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link"
href="https://downloads.apache.org/cxf/4.2.1/apache-cxf-4.2.1-src.tar.gz.sha256";>apache-cxf-4.2.1-src.tar.gz.sha256</a></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link"
href="https://downloads.apache.org/cxf/4.2.1/apache-cxf-4.2.1-src.tar.gz.asc";>apache-cxf-4.2.1-src.tar.gz.asc</a></p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p><br clear="none"></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link"
href="https://www.apache.org/dyn/closer.lua/cxf/4.2.1/apache-cxf-4.2.1-src.zip";>apache-cxf-4.2.1-src.zip</a></p>
</td><td colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link"
href="https://downloads.apache.org/cxf/4.2.1/apache-cxf-4.2.1-src.zip.sha256";>apache-cxf-4.2.1-src.zip.sha256</a></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link"
href="https://downloads.apache.org/cxf/4.2.1/apache-cxf-4.2.1-src.zip.asc";>apache-cxf-4.2.1-src.zip.asc</a></p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>Binary
distribution</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p><a
shape="rect" class="external-link"
href="https://www.apache.org/dyn/closer.lua/cxf/4.2.1/apache-cxf-4.2.1.tar.gz";>apache-cxf-4.2.1.tar.gz</a></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link"
href="https://downloads.apache.org/cxf/4.2.1/apache-cxf-4.2.1.tar.gz.sha256";>apache-cxf-4.2.1.tar.gz.sha256</a></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect" cl
ass="external-link"
href="https://downloads.apache.org/cxf/4.2.1/apache-cxf-4.2.1.tar.gz.asc";>apache-cxf-4.2.1.tar.gz.asc</a></p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p><br clear="none"></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link"
href="https://www.apache.org/dyn/closer.lua/cxf/4.2.1/apache-cxf-4.2.1.zip";>apache-cxf-4.2.1.zip</a></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link"
href="https://downloads.apache.org/cxf/4.2.1/apache-cxf-4.2.1.zip.sha256";>apache-cxf-4.2.1.zip.sha256</a></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link"
href="https://downloads.apache.org/cxf/4.2.1/apache-cxf-4.2.1.zip.asc";>apache-cxf-4.2.1.zip.asc</a></p></td></tr></tbody></table></div><h2
id="Download-4.1.6">4.1.6</h2><p>The 4.1.6 is our release to feature Jakarta
EE 10 support and JDK-17 baseline. For a complete list of new featu
res, API changes, etc... please see the <a shape="rect"
href="cxf-416-release-notes.html">release notes</a> and <a shape="rect"
href="https://cxf.apache.org/docs/41-migration-guide.html";>migration
guide</a>.</p><div class="table-wrap"><table class="wrapped
confluenceTable"><colgroup span="1"><col span="1"><col span="1"><col
span="1"><col span="1"></colgroup><tbody><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Description</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>File</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>sha256</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>PGP</p></th></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>Source distribution</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p><a shape="rect" class="external-link"
href="https://www.apache.org/dyn/closer.lua/cxf/4.1.6/apache-cxf-4.1.6-src.tar.gz";>apache-cxf-4.1.6-src.tar.gz</a></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a s
hape="rect" class="external-link"
href="https://downloads.apache.org/cxf/4.1.6/apache-cxf-4.1.6-src.tar.gz.sha256";>apache-cxf-4.1.6-src.tar.gz.sha256</a></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link"
href="https://downloads.apache.org/cxf/4.1.6/apache-cxf-4.1.6-src.tar.gz.asc";>apache-cxf-4.1.6-src.tar.gz.asc</a></p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p><br clear="none"></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link"
href="https://www.apache.org/dyn/closer.lua/cxf/4.1.6/apache-cxf-4.1.6-src.zip";>apache-cxf-4.1.6-src.zip</a></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link"
href="https://downloads.apache.org/cxf/4.1.6/apache-cxf-4.1.6-src.zip.sha256";>apache-cxf-4.1.6-src.zip.sha256</a></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link" href="https://downloads.apa
che.org/cxf/4.1.6/apache-cxf-4.1.6-src.zip.asc">apache-cxf-4.1.6-src.zip.asc</a></p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>Binary
distribution</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p><a
shape="rect" class="external-link"
href="https://www.apache.org/dyn/closer.lua/cxf/4.1.6/apache-cxf-4.1.6.tar.gz";>apache-cxf-4.1.6.tar.gz</a></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link"
href="https://downloads.apache.org/cxf/4.1.6/apache-cxf-4.1.6.tar.gz.sha256";>apache-cxf-4.1.6.tar.gz.sha256</a></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link"
href="https://downloads.apache.org/cxf/4.1.6/apache-cxf-4.1.6.tar.gz.asc";>apache-cxf-4.1.6.tar.gz.asc</a></p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p><br clear="none"></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link" href="https://www.apach
e.org/dyn/closer.lua/cxf/4.1.6/apache-cxf-4.1.6.zip">apache-cxf-4.1.6.zip</a></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link"
href="https://downloads.apache.org/cxf/4.1.6/apache-cxf-4.1.6.zip.sha256";>apache-cxf-4.1.6.zip.sha256</a></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link"
href="https://downloads.apache.org/cxf/4.1.6/apache-cxf-4.1.6.zip.asc";>apache-cxf-4.1.6.zip.asc</a></p></td></tr></tbody></table></div><h2
id="Download-4.0.11">4.0.11</h2><p>The 4.0.11 is our release to feature
Jakarta EE 9.1 support and JDK-11 baseline. For a complete list of new
features, API changes, etc... please see the <a shape="rect"
href="cxf-4011-release-notes.html">release notes</a> and <a shape="rect"
href="https://cxf.apache.org/docs/40-migration-guide.html";>migration guide</a>.
This is the last planned release for 4.0.x release line.</p><div
class="table-wrap"><table class="wrapped confluenceTable
"><colgroup span="1"><col span="1"><col span="1"><col span="1"><col
span="1"></colgroup><tbody><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Description</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>File</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>sha256</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>PGP</p></th></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>Source distribution</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p><a shape="rect" class="external-link"
href="https://www.apache.org/dyn/closer.lua/cxf/4.0.11/apache-cxf-4.0.11-src.tar.gz";>apache-cxf-4.0.11-src.tar.gz</a></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link"
href="https://downloads.apache.org/cxf/4.0.11/apache-cxf-4.0.11-src.tar.gz.sha256";>apache-cxf-4.0.11-src.tar.gz.sha256</a></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link" href="https://
downloads.apache.org/cxf/4.0.11/apache-cxf-4.0.11-src.tar.gz.asc">apache-cxf-4.0.11-src.tar.gz.asc</a></p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p><br clear="none"></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link"
href="https://www.apache.org/dyn/closer.lua/cxf/4.0.11/apache-cxf-4.0.11-src.zip";>apache-cxf-4.0.11-src.zip</a></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link"
href="https://downloads.apache.org/cxf/4.0.11/apache-cxf-4.0.11-src.zip.sha256";>apache-cxf-4.0.11-src.zip.sha256</a></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link"
href="https://downloads.apache.org/cxf/4.0.11/apache-cxf-4.0.11-src.zip.asc";>apache-cxf-4.0.11-src.zip.asc</a></p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>Binary
distribution</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p><a
shape="rect" class="e
xternal-link"
href="https://www.apache.org/dyn/closer.lua/cxf/4.0.11/apache-cxf-4.0.11.tar.gz";>apache-cxf-4.0.11.tar.gz</a></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link"
href="https://downloads.apache.org/cxf/4.0.11/apache-cxf-4.0.11.tar.gz.sha256";>apache-cxf-4.0.11.tar.gz.sha256</a></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link"
href="https://downloads.apache.org/cxf/4.0.11/apache-cxf-4.0.11.tar.gz.asc";>apache-cxf-4.0.11.tar.gz.asc</a></p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p><br clear="none"></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link"
href="https://www.apache.org/dyn/closer.lua/cxf/4.0.11/apache-cxf-4.0.11.zip";>apache-cxf-4.0.11.zip</a></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link"
href="https://downloads.apache.org/cxf/4.0.11/apache-cxf-4.0.11.zi
p.sha256">apache-cxf-4.0.11.zip.sha256</a></p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p><a shape="rect" class="external-link"
href="https://downloads.apache.org/cxf/4.0.11/apache-cxf-4.0.11.zip.asc";>apache-cxf-4.0.11.zip.asc</a></p></td></tr></tbody></table></div><h2
id="Download-3.6.11">3.6.11</h2><p>The 3.6.11 release is an updated version of
3.x to move to a fully JDK-11 baseline. This allows for new dependencies,
security updates, and a few additional features, yet remains JEE 8.x
compatible(javax.* namespace). For a complete list of new features, API
changes, etc... please see the <a shape="rect"
href="cxf-3611-release-notes.html">release notes</a> and <a shape="rect"
href="https://cxf.apache.org/docs/36-migration-guide.html";>migration
guide</a>.</p><div class="table-wrap"><table class="wrapped
confluenceTable"><colgroup span="1"><col span="1"><col span="1"><col
span="1"><col span="1"></colgroup><tbody><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Descr
iption</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>File</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>sha256</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>PGP</p></th></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>Source distribution</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p><a shape="rect" class="external-link"
href="https://www.apache.org/dyn/closer.lua/cxf/3.6.11/apache-cxf-3.6.11-src.tar.gz";>apache-cxf-3.6.11-src.tar.gz</a></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link"
href="https://downloads.apache.org/cxf/3.6.11/apache-cxf-3.6.11-src.tar.gz.sha256";>apache-cxf-3.6.11-src.tar.gz.sha256</a></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link"
href="https://downloads.apache.org/cxf/3.6.11/apache-cxf-3.6.11-src.tar.gz.asc";>apache-cxf-3.6.11-src.tar.gz.asc</a></p></td></tr><tr><td
colspan="1" rowspan="1" class="c
onfluenceTd"><p><br clear="none"></p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p><a shape="rect" class="external-link"
href="https://www.apache.org/dyn/closer.lua/cxf/3.6.11/apache-cxf-3.6.11-src.zip";>apache-cxf-3.6.11-src.zip</a></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link"
href="https://downloads.apache.org/cxf/3.6.11/apache-cxf-3.6.11-src.zip.sha256";>apache-cxf-3.6.11-src.zip.sha256</a></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link"
href="https://downloads.apache.org/cxf/3.6.11/apache-cxf-3.6.11-src.zip.asc";>apache-cxf-3.6.11-src.zip.asc</a></p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>Binary
distribution</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p><a
shape="rect" class="external-link"
href="https://www.apache.org/dyn/closer.lua/cxf/3.6.11/apache-cxf-3.6.11.tar.gz";>apache-cxf-3.6.11.tar.gz</a></p></td><td
colspan="1" rowspan=
"1" class="confluenceTd"><p><a shape="rect" class="external-link"
href="https://downloads.apache.org/cxf/3.6.11/apache-cxf-3.6.11.tar.gz.sha256";>apache-cxf-3.6.11.tar.gz.sha256</a></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link"
href="https://downloads.apache.org/cxf/3.6.11/apache-cxf-3.6.11.tar.gz.asc";>apache-cxf-3.6.11.tar.gz.asc</a></p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p><br clear="none"></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link"
href="https://www.apache.org/dyn/closer.lua/cxf/3.6.11/apache-cxf-3.6.11.zip";>apache-cxf-3.6.11.zip</a></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link"
href="https://downloads.apache.org/cxf/3.6.11/apache-cxf-3.6.11.zip.sha256";>apache-cxf-3.6.11.zip.sha256</a></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link" href="https://d
ownloads.apache.org/cxf/3.6.11/apache-cxf-3.6.11.zip.asc">apache-cxf-3.6.11.zip.asc</a></p></td></tr></tbody></table></div><h2
id="Download-3.5.11">3.5.11</h2><p>The 3.5.11 release is our latest release
representing a significant amount of work on new features, enhancements, code
cleanups, etc... For a complete list of new features, API changes, etc...
please see the <a shape="rect" href="cxf-3511-release-notes.html">release
notes</a> and <a shape="rect"
href="http://cxf.apache.org/docs/35-migration-guide.html";>migration guide</a>.
This is the last maintenance release for 3.5.x release line.</p><div
class="table-wrap"><table class="wrapped confluenceTable"><colgroup
span="1"><col span="1"><col span="1"><col span="1"><col
span="1"></colgroup><tbody><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Description</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>File</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>sha256</p></th><th colspan="1" rowspan="1" cla
ss="confluenceTh"><p>PGP</p></th></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>Source distribution</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p><a shape="rect" class="external-link"
href="https://www.apache.org/dyn/closer.lua/cxf/3.5.11/apache-cxf-3.5.11-src.tar.gz";>apache-cxf-3.5.11-src.tar.gz</a></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link"
href="https://downloads.apache.org/cxf/3.5.11/apache-cxf-3.5.11-src.tar.gz.sha256";>apache-cxf-3.5.11-src.tar.gz.sha256</a></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link"
href="https://downloads.apache.org/cxf/3.5.11/apache-cxf-3.5.11-src.tar.gz.asc";>apache-cxf-3.5.11-src.tar.gz.asc</a></p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p><br clear="none"></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link" href="https://www.apache.org/dyn/closer.lua/cx
f/3.5.11/apache-cxf-3.5.11-src.zip">apache-cxf-3.5.11-src.zip</a></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link"
href="https://downloads.apache.org/cxf/3.5.11/apache-cxf-3.5.11-src.zip.sha256";>apache-cxf-3.5.11-src.zip.sha256</a></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link"
href="https://downloads.apache.org/cxf/3.5.11/apache-cxf-3.5.11-src.zip.asc";>apache-cxf-3.5.11-src.zip.asc</a></p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>Binary
distribution</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p><a
shape="rect" class="external-link"
href="https://www.apache.org/dyn/closer.lua/cxf/3.5.11/apache-cxf-3.5.11.tar.gz";>apache-cxf-3.5.11.tar.gz</a></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link"
href="https://downloads.apache.org/cxf/3.5.11/apache-cxf-3.5.11.tar.gz.sha256";>apache-cxf-3.5.11.tar.gz.sha256</
a></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link"
href="https://downloads.apache.org/cxf/3.5.11/apache-cxf-3.5.11.tar.gz.asc";>apache-cxf-3.5.11.tar.gz.asc</a></p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p><br clear="none"></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link"
href="https://www.apache.org/dyn/closer.lua/cxf/3.5.11/apache-cxf-3.5.11.zip";>apache-cxf-3.5.11.zip</a></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link"
href="https://downloads.apache.org/cxf/3.5.11/apache-cxf-3.5.11.zip.sha256";>apache-cxf-3.5.11.zip.sha256</a></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link"
href="https://downloads.apache.org/cxf/3.5.11/apache-cxf-3.5.11.zip.asc";>apache-cxf-3.5.11.zip.asc</a></p></td></tr></tbody></table></div><h2
id="Download-VerifyingReleases">Verifying Releases<
/h2><p>When downloading from a mirror it is recommended to verify the
integrity of the downloads. This should preferably be done by verifying the
OpenPGP compatible signature available from the main Apache site. The <a
shape="rect" class="external-link"
href="https://downloads.apache.org/cxf/KEYS";>KEYS</a> file contains the public
keys used for signing the release. It is recommended that a web of trust is
used to confirm the identity of these keys.</p><p>You can check the OpenPGP
signature with GnuPG via:</p><div class="code panel pdl" style="border-width:
1px;"><div class="codeContent panelContent pdl">
+<div id="ConfluenceContent"><h1 id="Download-Releases">Releases</h1><h2
id="Download-4.2.1">4.2.1</h2><p>The 4.2.1 is our release to feature Jakarta EE
11 support and JDK-17 baseline. For a complete list of new features, API
changes, etc... please see the <a shape="rect"
href="cxf-421-release-notes.html">release notes</a> and <a shape="rect"
href="https://cxf.apache.org/docs/42-migration-guide.html";>migration guide</a>.
This release has dependency on alpha releases of Undertow project and as such
Undertow integration may not be stable.</p><div class="table-wrap"><table
class="wrapped confluenceTable"><colgroup span="1"><col span="1"><col
span="1"><col span="1"><col span="1"></colgroup><tbody><tr><th colspan="1"
rowspan="1" class="confluenceTh"><p>Description</p></th><th colspan="1"
rowspan="1" class="confluenceTh"><p>File</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>sha256</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>PGP</p></th></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><p>Source distribution</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link"
href="https://www.apache.org/dyn/closer.lua/cxf/4.2.1/apache-cxf-4.2.1-src.tar.gz";>apache-cxf-4.2.1-src.tar.gz</a></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link"
href="https://downloads.apache.org/cxf/4.2.1/apache-cxf-4.2.1-src.tar.gz.sha256";>apache-cxf-4.2.1-src.tar.gz.sha256</a></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link"
href="https://downloads.apache.org/cxf/4.2.1/apache-cxf-4.2.1-src.tar.gz.asc";>apache-cxf-4.2.1-src.tar.gz.asc</a></p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p><br clear="none"></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link"
href="https://www.apache.org/dyn/closer.lua/cxf/4.2.1/apache-cxf-4.2.1-src.zip";>apache-cxf-4.2.1-src.zip</a></p>
</td><td colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link"
href="https://downloads.apache.org/cxf/4.2.1/apache-cxf-4.2.1-src.zip.sha256";>apache-cxf-4.2.1-src.zip.sha256</a></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link"
href="https://downloads.apache.org/cxf/4.2.1/apache-cxf-4.2.1-src.zip.asc";>apache-cxf-4.2.1-src.zip.asc</a></p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>Binary
distribution</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p><a
shape="rect" class="external-link"
href="https://www.apache.org/dyn/closer.lua/cxf/4.2.1/apache-cxf-4.2.1.tar.gz";>apache-cxf-4.2.1.tar.gz</a></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link"
href="https://downloads.apache.org/cxf/4.2.1/apache-cxf-4.2.1.tar.gz.sha256";>apache-cxf-4.2.1.tar.gz.sha256</a></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect" cl
ass="external-link"
href="https://downloads.apache.org/cxf/4.2.1/apache-cxf-4.2.1.tar.gz.asc";>apache-cxf-4.2.1.tar.gz.asc</a></p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p><br clear="none"></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link"
href="https://www.apache.org/dyn/closer.lua/cxf/4.2.1/apache-cxf-4.2.1.zip";>apache-cxf-4.2.1.zip</a></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link"
href="https://downloads.apache.org/cxf/4.2.1/apache-cxf-4.2.1.zip.sha256";>apache-cxf-4.2.1.zip.sha256</a></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link"
href="https://downloads.apache.org/cxf/4.2.1/apache-cxf-4.2.1.zip.asc";>apache-cxf-4.2.1.zip.asc</a></p></td></tr></tbody></table></div><h2
id="Download-4.1.6">4.1.6</h2><p>The 4.1.6 is our release to feature Jakarta
EE 10 support and JDK-17 baseline. For a complete list of new featu
res, API changes, etc... please see the <a shape="rect"
href="cxf-416-release-notes.html">release notes</a> and <a shape="rect"
href="https://cxf.apache.org/docs/41-migration-guide.html";>migration
guide</a>.</p><div class="table-wrap"><table class="wrapped
confluenceTable"><colgroup span="1"><col span="1"><col span="1"><col
span="1"><col span="1"></colgroup><tbody><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Description</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>File</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>sha256</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>PGP</p></th></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>Source distribution</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p><a shape="rect" class="external-link"
href="https://www.apache.org/dyn/closer.lua/cxf/4.1.6/apache-cxf-4.1.6-src.tar.gz";>apache-cxf-4.1.6-src.tar.gz</a></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a s
hape="rect" class="external-link"
href="https://downloads.apache.org/cxf/4.1.6/apache-cxf-4.1.6-src.tar.gz.sha256";>apache-cxf-4.1.6-src.tar.gz.sha256</a></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link"
href="https://downloads.apache.org/cxf/4.1.6/apache-cxf-4.1.6-src.tar.gz.asc";>apache-cxf-4.1.6-src.tar.gz.asc</a></p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p><br clear="none"></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link"
href="https://www.apache.org/dyn/closer.lua/cxf/4.1.6/apache-cxf-4.1.6-src.zip";>apache-cxf-4.1.6-src.zip</a></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link"
href="https://downloads.apache.org/cxf/4.1.6/apache-cxf-4.1.6-src.zip.sha256";>apache-cxf-4.1.6-src.zip.sha256</a></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link" href="https://downloads.apa
che.org/cxf/4.1.6/apache-cxf-4.1.6-src.zip.asc">apache-cxf-4.1.6-src.zip.asc</a></p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>Binary
distribution</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p><a
shape="rect" class="external-link"
href="https://www.apache.org/dyn/closer.lua/cxf/4.1.6/apache-cxf-4.1.6.tar.gz";>apache-cxf-4.1.6.tar.gz</a></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link"
href="https://downloads.apache.org/cxf/4.1.6/apache-cxf-4.1.6.tar.gz.sha256";>apache-cxf-4.1.6.tar.gz.sha256</a></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link"
href="https://downloads.apache.org/cxf/4.1.6/apache-cxf-4.1.6.tar.gz.asc";>apache-cxf-4.1.6.tar.gz.asc</a></p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p><br clear="none"></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link" href="https://www.apach
e.org/dyn/closer.lua/cxf/4.1.6/apache-cxf-4.1.6.zip">apache-cxf-4.1.6.zip</a></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link"
href="https://downloads.apache.org/cxf/4.1.6/apache-cxf-4.1.6.zip.sha256";>apache-cxf-4.1.6.zip.sha256</a></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link"
href="https://downloads.apache.org/cxf/4.1.6/apache-cxf-4.1.6.zip.asc";>apache-cxf-4.1.6.zip.asc</a></p></td></tr></tbody></table></div><h2
id="Download-3.6.11">3.6.11</h2><p>The 3.6.11 release is an updated version of
3.x to move to a fully JDK-11 baseline. This allows for new dependencies,
security updates, and a few additional features, yet remains JEE 8.x
compatible(javax.* namespace). For a complete list of new features, API
changes, etc... please see the <a shape="rect"
href="cxf-3611-release-notes.html">release notes</a> and <a shape="rect"
href="https://cxf.apache.org/docs/36-migration-guide.html";>migra
tion guide</a>. This is the last planned release for 3.6.x release
line.</p><div class="table-wrap"><table class="wrapped
confluenceTable"><colgroup span="1"><col span="1"><col span="1"><col
span="1"><col span="1"></colgroup><tbody><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Description</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>File</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>sha256</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>PGP</p></th></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>Source distribution</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p><a shape="rect" class="external-link"
href="https://www.apache.org/dyn/closer.lua/cxf/3.6.11/apache-cxf-3.6.11-src.tar.gz";>apache-cxf-3.6.11-src.tar.gz</a></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link"
href="https://downloads.apache.org/cxf/3.6.11/apache-cxf-3.6.11-src.tar.gz.sha256";>apache-cxf-3.6.
11-src.tar.gz.sha256</a></p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p><a shape="rect" class="external-link"
href="https://downloads.apache.org/cxf/3.6.11/apache-cxf-3.6.11-src.tar.gz.asc";>apache-cxf-3.6.11-src.tar.gz.asc</a></p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p><br clear="none"></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link"
href="https://www.apache.org/dyn/closer.lua/cxf/3.6.11/apache-cxf-3.6.11-src.zip";>apache-cxf-3.6.11-src.zip</a></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link"
href="https://downloads.apache.org/cxf/3.6.11/apache-cxf-3.6.11-src.zip.sha256";>apache-cxf-3.6.11-src.zip.sha256</a></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link"
href="https://downloads.apache.org/cxf/3.6.11/apache-cxf-3.6.11-src.zip.asc";>apache-cxf-3.6.11-src.zip.asc</a></p></td></tr><tr><td
colspan="1" row
span="1" class="confluenceTd"><p>Binary distribution</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p><a shape="rect" class="external-link"
href="https://www.apache.org/dyn/closer.lua/cxf/3.6.11/apache-cxf-3.6.11.tar.gz";>apache-cxf-3.6.11.tar.gz</a></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link"
href="https://downloads.apache.org/cxf/3.6.11/apache-cxf-3.6.11.tar.gz.sha256";>apache-cxf-3.6.11.tar.gz.sha256</a></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link"
href="https://downloads.apache.org/cxf/3.6.11/apache-cxf-3.6.11.tar.gz.asc";>apache-cxf-3.6.11.tar.gz.asc</a></p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p><br clear="none"></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link"
href="https://www.apache.org/dyn/closer.lua/cxf/3.6.11/apache-cxf-3.6.11.zip";>apache-cxf-3.6.11.zip</a></p></td><td
colspan="1" row
span="1" class="confluenceTd"><p><a shape="rect" class="external-link"
href="https://downloads.apache.org/cxf/3.6.11/apache-cxf-3.6.11.zip.sha256";>apache-cxf-3.6.11.zip.sha256</a></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link"
href="https://downloads.apache.org/cxf/3.6.11/apache-cxf-3.6.11.zip.asc";>apache-cxf-3.6.11.zip.asc</a></p></td></tr></tbody></table></div><p><br
clear="none"></p><h2 id="Download-VerifyingReleases">Verifying
Releases</h2><p>When downloading from a mirror it is recommended to verify the
integrity of the downloads. This should preferably be done by verifying the
OpenPGP compatible signature available from the main Apache site. The <a
shape="rect" class="external-link"
href="https://downloads.apache.org/cxf/KEYS";>KEYS</a> file contains the public
keys used for signing the release. It is recommended that a web of trust is
used to confirm the identity of these keys.</p><p>You can check the OpenPGP
signature with Gn
uPG via:</p><div class="code panel pdl" style="border-width: 1px;"><div
class="codeContent panelContent pdl">
<pre class="brush: bash; gutter: false; theme: Default">gpg --import KEYS
gpg --verify apache-cxf-*.tar.gz.asc
</pre>
Modified: websites/production/cxf/content/index.html
==============================================================================
--- websites/production/cxf/content/index.html Fri May 22 00:47:06 2026
(r1093053)
+++ websites/production/cxf/content/index.html Fri May 22 10:43:09 2026
(r1093054)
@@ -99,7 +99,7 @@ Apache CXF -- Index
<td height="100%">
<!-- Content -->
<div class="wiki-content">
-<div id="ConfluenceContent"><h1
id="Index-ApacheCXF™:AnOpen-SourceServicesFramework">Apache CXF™:
An Open-Source Services Framework</h1><h2
id="Index-Overview">Overview</h2><p>Apache CXF™ is an open source
services framework. CXF helps you build and develop services using frontend
programming APIs, like JAX-WS and JAX-RS. These services can speak a variety of
protocols such as SOAP, XML/HTTP, RESTful HTTP, or CORBA and work over a
variety of transports such as HTTP, JMS or JBI.</p><h2
id="Index-News">News</h2><h3
id="Index-May20,2026-ApacheCXF4.2.1,4.1.6and3.6.11released!">May 20, 2026 -
Apache CXF 4.2.1, 4.1.6 and 3.6.11 released!</h3><p>The Apache CXF team is
proud to announce the availability of our latest patch
releases! </p><p>Over 15 JIRA issues were fixed for 4.2.1,  10 JIRA
issues were fixed for 4.1.6, and 8 JIRA issues were fixed for
3.6.11.</p><p>Downloads are available <a shape="rect"
href="download.html">here</a>.</p><h3 id="Index-Feb16,2
026-ApacheCXF4.2.0,4.1.5,4.0.11and3.6.10released!">Feb 16, 2026 - Apache CXF
4.2.0, 4.1.5, 4.0.11 and 3.6.10 released!</h3><p>The Apache CXF team is proud
to announce the availability of our latest patch releases! </p><p>4.2.0
brings Jakarta EE 11 support, over 15 JIRA issues were fixed for 4.1.5,
 14 JIRA issues were fixed for 4.0.11, 8 JIRA issues were fixed for
3.6.10.</p><p>Downloads are available <a shape="rect"
href="download.html">here</a>.</p><h3
id="Index-Nov17,2025-ApacheCXF4.1.4,4.0.10and3.6.9released!">Nov 17, 2025 -
Apache CXF 4.1.4, 4.0.10 and 3.6.9 released!</h3><p>The Apache CXF team is
proud to announce the availability of our latest patch
releases! </p><p>Over 13 JIRA issues were fixed for 4.1.4,  11 JIRA
issues were fixed for 4.0.10, 12 JIRA issues were fixed for
3.6.9.</p><p>Downloads are available <a shape="rect"
href="download.html">here</a>.</p><h3
id="Index-Aug06,2025-ApacheCXF4.1.3,4.0.9and3.6.8released!">Aug 06, 2025 -
Apache C
XF 4.1.3, 4.0.9 and 3.6.8 released!</h3><p>The Apache CXF team is proud to
announce the availability of our latest patch releases!  Over 10 JIRA
issues were fixed for 4.1.3 and 4.0.9, </p><p>6 JIRA issues were fixed for
3.6.8. These releases contain a fix for a new CVE:</p><ul><li><a shape="rect"
href="https://cxf.apache.org/security-advisories.data/CVE-2025-48913.txt";>https://cxf.apache.org/security-advisories.data/CVE-2025-48913.txt</a></li></ul><p>Downloads
are available <a shape="rect" href="download.html">here</a>.</p><h3
id="Index-May23,2025-ApacheCXF4.1.2,4.0.8and3.6.7released!">May 23, 2025 -
Apache CXF 4.1.2, 4.0.8 and 3.6.7 released!</h3><p>The Apache CXF team is proud
to announce the availability of our latest patch releases!  Over 16 JIRA
issues were fixed for 4.1.2, </p><p>11 JIRA issues were fixed for 4.0.8,
10 JIRA issues were fixed for 3.6.7.</p><p>Downloads are available <a
shape="rect" href="download.html">here</a>.</p><h3 id="Index-Ma
r6,2025-ApacheCXF4.1.1,4.0.7,3.6.6and3.5.11released!">Mar 6, 2025 - Apache CXF
4.1.1, 4.0.7, 3.6.6 and 3.5.11 released!</h3><p>The Apache CXF team is proud to
announce the availability of our latest patch releases!  Over 17 JIRA
issues were fixed for 4.1.1, </p><p>14 JIRA issues were fixed for 4.0.7,
11 JIRA issues were fixed for 3.6.6 and 5 JIRA issues were fixed for
3.5.11.</p><p>Please note that the CXF 3.5.11 is the last release of CXF 3.5.x
series</p><p>Downloads are available <a shape="rect"
href="download.html">here</a>.</p><h3
id="Index-Dec13,2024-ApacheCXF4.1.0released!">Dec 13, 2024 - Apache CXF 4.1.0
released!</h3><p>The Apache CXF team is proud to announce the availability of
CXF 4.1.0!  The 4.1.0 is our first release to feature Jakarta EE 10
support and JDK-17 baseline</p><p>Over 54 JIRA issues were fixed for
4.1.0, </p><p>Downloads are available <a shape="rect"
href="download.html">here</a>.</p><h3 id="Index-Dec9,2024-ApacheCXF3.5.10,3.6.5
and4.0.6released!">Dec 9, 2024 - Apache CXF 3.5.10, 3.6.5 and 4.0.6
released!</h3><p>The Apache CXF team is proud to announce the availability of
our latest patch releases!  Over 29 JIRA issues were fixed for
4.0.6, </p><p>25 JIRA issues were fixed for 3.6.5 and 18 JIRA issues were
fixed for 3.5.10.</p><p>Downloads are available <a shape="rect"
href="download.html">here</a>.</p><h3
id="Index-July17,2024-ApacheCXF3.5.9,3.6.4and4.0.5released!">July 17, 2024 -
Apache CXF 3.5.9, 3.6.4 and 4.0.5 released!</h3><p>The Apache CXF team is proud
to announce the availability of our latest patch releases!  Over 19 JIRA
issues were fixed for 4.0.5.</p><p>These releases contain fixes for 3 different
CVEs:</p><ul><li><a shape="rect"
href="https://cxf.apache.org/security-advisories.data/CVE-2024-29736.txt";>https://cxf.apache.org/security-advisories.data/CVE-2024-29736.txt</a></li><li><a
shape="rect"
href="https://cxf.apache.org/security-advisories.data/CVE-2024-32007.txt";>https:
//cxf.apache.org/security-advisories.data/CVE-2024-32007.txt</a></li><li><a
shape="rect"
href="https://cxf.apache.org/security-advisories.data/CVE-2024-41172.txt";>https://cxf.apache.org/security-advisories.data/CVE-2024-41172.txt</a></li></ul><p>Downloads
are available <a shape="rect" href="download.html">here</a>.</p><h3
id="Index-March12,2024-ApacheCXF3.5.8,3.6.3and4.0.4released!">March 12, 2024 -
Apache CXF 3.5.8, 3.6.3 and 4.0.4 released!</h3><p>The Apache CXF team is proud
to announce the availability of our latest patch releases!  Over 28 JIRA
issues were fixed for 4.0.4.</p><p>These releases contain a fix for a new
security issue: <a shape="rect"
href="https://cxf.apache.org/security-advisories.data/CVE-2024-28752.txt";>https://cxf.apache.org/security-advisories.data/CVE-2024-28752.txt</a></p><p>Downloads
are available <a shape="rect" href="download.html">here</a>.</p><h3
id="Index-Sept18,2023-ApacheCXF3.5.7,3.6.2and4.0.3released!">Sept 18, 2023 -
Apache CXF 3.5
.7, 3.6.2 and 4.0.3 released!</h3><p>The Apache CXF team is proud to announce
the availability of our latest patch releases!  Over 15 JIRA issues were
fixed for 4.01 and 3.5.6.</p><p>Downloads are available <a shape="rect"
href="download.html">here</a>.</p><h3
id="Index-June12,2023-ApacheCXF3.6.1and4.0.2released!">June 12, 2023 - Apache
CXF 3.6.1 and 4.0.2 released!</h3><p>The Apache CXF team is proud to announce
the availability of our latest patch releases!  Over 7 JIRA issues were
fixed for 4.0.2 and 3.6.1.</p><p>Downloads are available <a shape="rect"
href="download.html">here</a>.</p><h3
id="Index-May8,2023-ApacheCXF3.5.6,3.6.0and4.0.1released!">May 8, 2023 - Apache
CXF 3.5.6, 3.6.0 and 4.0.1 released!</h3><p>The Apache CXF team is proud to
announce the availability of our latest patch releases!  Over 15 JIRA
issues were fixed for 4.01 and 3.5.6.</p><p>Downloads are available <a
shape="rect" href="download.html">here</a>.</p><h3 id="Index-Features"
>Features</h3><p>CXF includes a broad feature set, but it is primarily focused
>on the following areas:</p><ul><li><strong>Web Services Standards
>Support:</strong> CXF supports a variety of web service standards including
>SOAP, the WS-I Basic Profile, WSDL, WS-Addressing, WS-Policy,
>WS-ReliableMessaging, WS-Security, WS-SecurityPolicy, WS-SecureConverstation,
>and WS-Trust (partial).</li><li><strong>Frontends:</strong> CXF supports a
>variety of "frontend" programming models.</li></ul><p>CXF implements the
>JAX-WS APIs. CXF JAX-WS support includes some extensions to the standard that
>make it significantly easier to use, compared to the reference
>implementation: It will automatically generate code for request and response
>bean classes, and does not require a WSDL for simple cases.</p><p>It also
>includes a "simple frontend" which allows creation of clients and endpoints
>without annotations. CXF supports both contract first development with WSDL
>and code first development starting from Jav
a.</p><p>For REST, CXF also supports a JAX-RS
frontend.</p><ul><li><strong>Ease of use:</strong> CXF is designed to be
intuitive and easy to use. There are simple APIs to quickly build code-first
services, Maven plug-ins to make tooling integration easy, JAX-WS API support,
Spring 2.x XML support to make configuration a snap, and much
more.</li><li><strong>Binary and Legacy Protocol Support:</strong> CXF has been
designed to provide a pluggable architecture that supports not only XML but
also non-XML type bindings, such as JSON and CORBA, in combination with any
type of transport.</li></ul><p>To get started using CXF, check out the <a
shape="rect" href="download.html">downloads</a>, the <a shape="rect"
href="http://cxf.apache.org/docs/index.html";>user's guide</a>, or the <a
shape="rect" href="mailing-lists.html">mailing lists</a> to get more
information!</p><h2 id="Index-Goals">Goals</h2><h3
id="Index-General">General</h3><ul><li>High
Performance</li><li>Extensible</li><li>Intuitive
& Easy to Use</li></ul><h3 id="Index-SupportforStandards">Support for
Standards</h3><h5 id="Index-JSRSupport">JSR Support</h5><ul><li>JAX-WS - Java
API for XML-Based Web Services (JAX-WS) 2.0 - <a shape="rect"
class="external-link" href="http://jcp.org/en/jsr/detail?id=224";
rel="nofollow">JSR-224</a></li><li>Web Services Metadata for the Java Platform
- <a shape="rect" class="external-link"
href="http://jcp.org/en/jsr/detail?id=181";
rel="nofollow">JSR-181</a></li><li>JAX-RS - The Java API for RESTful Web
Services - <a shape="rect" class="external-link"
href="http://jcp.org/en/jsr/detail?id=311"; rel="nofollow">JSR-311,</a> <a
shape="rect" class="external-link" href="https://jcp.org/en/jsr/detail?id=370";
rel="nofollow">JSR-370</a></li><li>SAAJ - SOAP with Attachments API for Java
(SAAJ) - <a shape="rect" class="external-link"
href="http://jcp.org/aboutJava/communityprocess/mrel/jsr067/index3.html";
rel="nofollow">JSR-67</a></li></ul><h5
id="Index-WS-*andrelatedSpecificationsSuppor
t">WS-* and related Specifications Support</h5><ul><li>Basic support: WS-I
Basic Profile 1.1</li><li>Quality of Service: WS-Reliable
Messaging</li><li>Metadata: WS-Policy, WSDL 1.1 - Web Service Definition
Language</li><li>Communication Security: WS-Security, WS-SecurityPolicy,
WS-SecureConversation, WS-Trust (partial support)</li><li>Messaging Support:
WS-Addressing, SOAP 1.1, SOAP 1.2, Message Transmission Optimization Mechanism
(MTOM)</li></ul><h5 id="Index-OpenAPISpecification(OAS)Support">OpenAPI
Specification (OAS) Support</h5><ul><li>OAS 2.0 (classic Swagger
specification)</li><li>OAS 3.0.x (new revised specification)</li></ul><h3
id="Index-MultipleTransports,ProtocolBindings,DataBindings,andFormats">Multiple
Transports, Protocol Bindings, Data Bindings, and
Formats</h3><ul><li>Transports: HTTP, Servlet, JMS, In-VM and many others via
the <a shape="rect" class="external-link"
href="http://camel.apache.org/camel-transport-for-cxf.html";>Camel transport for
CXF</a> such as SMTP/
POP3, TCP and Jabber</li><li>Protocol Bindings: SOAP, REST/HTTP, pure
XML</li><li>Data bindings: JAXB 2.x, Aegis, Apache XMLBeans, Service Data
Objects (SDO), JiBX</li><li>Formats: XML Textual, JSON,
FastInfoset</li><li>Extensibility API allows additional bindings for CXF,
enabling additional message format support such as CORBA/IIOP</li></ul><h3
id="Index-FlexibleDeployment">Flexible Deployment</h3><ul><li>Lightweight
containers: deploy services in Jetty, Tomcat or Spring-based
containers</li><li>JBI integration: deploy as a service engine in a JBI
container such as ServiceMix, OpenESB or Petals</li><li>Java EE integration:
deploy services in Java EE application servers such as Apache Geronimo, JOnAS,
Redhat JBoss, OC4J, Oracle WebLogic, and IBM WebSphere</li><li>Standalone Java
client/server</li></ul><h3
id="Index-SupportforMultipleProgrammingLanguages">Support for Multiple
Programming Languages</h3><ul><li>Full support for JAX-WS 2.x client/server
programming model</li><li>JAX-WS
2.x synchronous, asynchronous and one-way API's</li><li>JAX-WS 2.x Dynamic
Invocation Interface (DII) API</li><li>JAX-RS for RESTful
clients</li><li>Support for wrapped and non-wrapped styles</li><li>XML
messaging API</li><li>Support for JavaScript and ECMAScript 4 XML (E4X) - both
client and server</li><li>Support for CORBA</li><li>Support for JBI with
ServiceMix</li></ul><h3 id="Index-Tooling">Tooling</h3><ul><li>Generating Code:
WSDL to Java, WSDL to JavaScript, Java to JavaScript</li><li>Generating WSDL:
Java to WSDL, XSD to WSDL, IDL to WSDL, WSDL to XML</li><li>Adding Endpoints:
WSDL to SOAP, WSDL to CORBA, WSDL to service</li><li>Generating Support Files:
WSDL to IDL</li><li>Validating Files: WSDL Validation</li></ul><h2
id="Index-GettingInvolved">Getting Involved</h2><p>Apache CXF is currently
under heavy development. To get involved you can <a shape="rect"
href="mailing-lists.html">subscribe to the mailing lists</a>. You can also grab
the code from the <a shape="rect" href
="source-repository.html">Source Repository</a>. You also need to read about
<a shape="rect" href="building.html">Building</a> CXF. For Eclipse users, you
should read about <a shape="rect" href="setting-up-eclipse.html">Setting up
Eclipse</a>.</p></div>
+<div id="ConfluenceContent"><h1
id="Index-ApacheCXF™:AnOpen-SourceServicesFramework">Apache CXF™:
An Open-Source Services Framework</h1><h2
id="Index-Overview">Overview</h2><p>Apache CXF™ is an open source
services framework. CXF helps you build and develop services using frontend
programming APIs, like JAX-WS and JAX-RS. These services can speak a variety of
protocols such as SOAP, XML/HTTP, RESTful HTTP, or CORBA and work over a
variety of transports such as HTTP, JMS or JBI.</p><h2
id="Index-News">News</h2><h3
id="Index-May20,2026-ApacheCXF4.2.1,4.1.6and3.6.11released!">May 20, 2026 -
Apache CXF 4.2.1, 4.1.6 and 3.6.11 released!</h3><p>The Apache CXF team is
proud to announce the availability of our latest patch
releases! </p><p>Over 15 JIRA issues were fixed for 4.2.1,  10 JIRA
issues were fixed for 4.1.6, and 8 JIRA issues were fixed for
3.6.11.</p><p>Downloads are available <a shape="rect"
href="download.html">here</a>.</p><p>These releases con
tain fixes for 3 CVE issues, please see <a shape="rect"
href="security-advisories.html">Security Advisories</a>.</p><h3
id="Index-Feb16,2026-ApacheCXF4.2.0,4.1.5,4.0.11and3.6.10released!">Feb 16,
2026 - Apache CXF 4.2.0, 4.1.5, 4.0.11 and 3.6.10 released!</h3><p>The Apache
CXF team is proud to announce the availability of our latest patch
releases! </p><p>4.2.0 brings Jakarta EE 11 support, over 15 JIRA issues
were fixed for 4.1.5,  14 JIRA issues were fixed for 4.0.11, 8 JIRA issues
were fixed for 3.6.10.</p><p>Downloads are available <a shape="rect"
href="download.html">here</a>.</p><h3
id="Index-Nov17,2025-ApacheCXF4.1.4,4.0.10and3.6.9released!">Nov 17, 2025 -
Apache CXF 4.1.4, 4.0.10 and 3.6.9 released!</h3><p>The Apache CXF team is
proud to announce the availability of our latest patch
releases! </p><p>Over 13 JIRA issues were fixed for 4.1.4,  11 JIRA
issues were fixed for 4.0.10, 12 JIRA issues were fixed for
3.6.9.</p><p>Downloads are available&
#160;<a shape="rect" href="download.html">here</a>.</p><h3
id="Index-Aug06,2025-ApacheCXF4.1.3,4.0.9and3.6.8released!">Aug 06, 2025 -
Apache CXF 4.1.3, 4.0.9 and 3.6.8 released!</h3><p>The Apache CXF team is proud
to announce the availability of our latest patch releases!  Over 10 JIRA
issues were fixed for 4.1.3 and 4.0.9, </p><p>6 JIRA issues were fixed for
3.6.8. These releases contain a fix for a new CVE:</p><ul><li><a shape="rect"
href="https://cxf.apache.org/security-advisories.data/CVE-2025-48913.txt";>https://cxf.apache.org/security-advisories.data/CVE-2025-48913.txt</a></li></ul><p>Downloads
are available <a shape="rect" href="download.html">here</a>.</p><h3
id="Index-May23,2025-ApacheCXF4.1.2,4.0.8and3.6.7released!">May 23, 2025 -
Apache CXF 4.1.2, 4.0.8 and 3.6.7 released!</h3><p>The Apache CXF team is proud
to announce the availability of our latest patch releases!  Over 16 JIRA
issues were fixed for 4.1.2, </p><p>11 JIRA issues were fixed for 4.0
.8, 10 JIRA issues were fixed for 3.6.7.</p><p>Downloads are available <a
shape="rect" href="download.html">here</a>.</p><h3
id="Index-Mar6,2025-ApacheCXF4.1.1,4.0.7,3.6.6and3.5.11released!">Mar 6, 2025 -
Apache CXF 4.1.1, 4.0.7, 3.6.6 and 3.5.11 released!</h3><p>The Apache CXF team
is proud to announce the availability of our latest patch releases!  Over
17 JIRA issues were fixed for 4.1.1, </p><p>14 JIRA issues were fixed for
4.0.7, 11 JIRA issues were fixed for 3.6.6 and 5 JIRA issues were fixed for
3.5.11.</p><p>Please note that the CXF 3.5.11 is the last release of CXF 3.5.x
series</p><p>Downloads are available <a shape="rect"
href="download.html">here</a>.</p><h3
id="Index-Dec13,2024-ApacheCXF4.1.0released!">Dec 13, 2024 - Apache CXF 4.1.0
released!</h3><p>The Apache CXF team is proud to announce the availability of
CXF 4.1.0!  The 4.1.0 is our first release to feature Jakarta EE 10
support and JDK-17 baseline</p><p>Over 54 JIRA issues were fixed for 4
.1.0, </p><p>Downloads are available <a shape="rect"
href="download.html">here</a>.</p><h3
id="Index-Dec9,2024-ApacheCXF3.5.10,3.6.5and4.0.6released!">Dec 9, 2024 -
Apache CXF 3.5.10, 3.6.5 and 4.0.6 released!</h3><p>The Apache CXF team is
proud to announce the availability of our latest patch releases!  Over 29
JIRA issues were fixed for 4.0.6, </p><p>25 JIRA issues were fixed for
3.6.5 and 18 JIRA issues were fixed for 3.5.10.</p><p>Downloads are
available <a shape="rect" href="download.html">here</a>.</p><h3
id="Index-July17,2024-ApacheCXF3.5.9,3.6.4and4.0.5released!">July 17, 2024 -
Apache CXF 3.5.9, 3.6.4 and 4.0.5 released!</h3><p>The Apache CXF team is proud
to announce the availability of our latest patch releases!  Over 19 JIRA
issues were fixed for 4.0.5.</p><p>These releases contain fixes for 3 different
CVEs:</p><ul><li><a shape="rect"
href="https://cxf.apache.org/security-advisories.data/CVE-2024-29736.txt";>https://cxf.apache.org/security-a
dvisories.data/CVE-2024-29736.txt</a></li><li><a shape="rect"
href="https://cxf.apache.org/security-advisories.data/CVE-2024-32007.txt";>https://cxf.apache.org/security-advisories.data/CVE-2024-32007.txt</a></li><li><a
shape="rect"
href="https://cxf.apache.org/security-advisories.data/CVE-2024-41172.txt";>https://cxf.apache.org/security-advisories.data/CVE-2024-41172.txt</a></li></ul><p>Downloads
are available <a shape="rect" href="download.html">here</a>.</p><h3
id="Index-March12,2024-ApacheCXF3.5.8,3.6.3and4.0.4released!">March 12, 2024 -
Apache CXF 3.5.8, 3.6.3 and 4.0.4 released!</h3><p>The Apache CXF team is proud
to announce the availability of our latest patch releases!  Over 28 JIRA
issues were fixed for 4.0.4.</p><p>These releases contain a fix for a new
security issue: <a shape="rect"
href="https://cxf.apache.org/security-advisories.data/CVE-2024-28752.txt";>https://cxf.apache.org/security-advisories.data/CVE-2024-28752.txt</a></p><p>Downloads
are available <a
shape="rect" href="download.html">here</a>.</p><h3
id="Index-Sept18,2023-ApacheCXF3.5.7,3.6.2and4.0.3released!">Sept 18, 2023 -
Apache CXF 3.5.7, 3.6.2 and 4.0.3 released!</h3><p>The Apache CXF team is proud
to announce the availability of our latest patch releases!  Over 15 JIRA
issues were fixed for 4.01 and 3.5.6.</p><p>Downloads are available <a
shape="rect" href="download.html">here</a>.</p><h3
id="Index-June12,2023-ApacheCXF3.6.1and4.0.2released!">June 12, 2023 - Apache
CXF 3.6.1 and 4.0.2 released!</h3><p>The Apache CXF team is proud to announce
the availability of our latest patch releases!  Over 7 JIRA issues were
fixed for 4.0.2 and 3.6.1.</p><p>Downloads are available <a shape="rect"
href="download.html">here</a>.</p><h3
id="Index-May8,2023-ApacheCXF3.5.6,3.6.0and4.0.1released!">May 8, 2023 - Apache
CXF 3.5.6, 3.6.0 and 4.0.1 released!</h3><p>The Apache CXF team is proud to
announce the availability of our latest patch releases!  Over 15 JIRA issu
es were fixed for 4.01 and 3.5.6.</p><p>Downloads are available <a
shape="rect" href="download.html">here</a>.</p><h3
id="Index-Features">Features</h3><p>CXF includes a broad feature set, but it is
primarily focused on the following areas:</p><ul><li><strong>Web Services
Standards Support:</strong> CXF supports a variety of web service standards
including SOAP, the WS-I Basic Profile, WSDL, WS-Addressing, WS-Policy,
WS-ReliableMessaging, WS-Security, WS-SecurityPolicy, WS-SecureConverstation,
and WS-Trust (partial).</li><li><strong>Frontends:</strong> CXF supports a
variety of "frontend" programming models.</li></ul><p>CXF implements the JAX-WS
APIs. CXF JAX-WS support includes some extensions to the standard that make it
significantly easier to use, compared to the reference implementation: It will
automatically generate code for request and response bean classes, and does not
require a WSDL for simple cases.</p><p>It also includes a "simple frontend"
which allows creation of
clients and endpoints without annotations. CXF supports both contract first
development with WSDL and code first development starting from Java.</p><p>For
REST, CXF also supports a JAX-RS frontend.</p><ul><li><strong>Ease of
use:</strong> CXF is designed to be intuitive and easy to use. There are simple
APIs to quickly build code-first services, Maven plug-ins to make tooling
integration easy, JAX-WS API support, Spring 2.x XML support to make
configuration a snap, and much more.</li><li><strong>Binary and Legacy Protocol
Support:</strong> CXF has been designed to provide a pluggable architecture
that supports not only XML but also non-XML type bindings, such as JSON and
CORBA, in combination with any type of transport.</li></ul><p>To get started
using CXF, check out the <a shape="rect" href="download.html">downloads</a>,
the <a shape="rect" href="http://cxf.apache.org/docs/index.html";>user's
guide</a>, or the <a shape="rect" href="mailing-lists.html">mailing lists</a>
to get more i
nformation!</p><h2 id="Index-Goals">Goals</h2><h3
id="Index-General">General</h3><ul><li>High
Performance</li><li>Extensible</li><li>Intuitive & Easy to Use</li></ul><h3
id="Index-SupportforStandards">Support for Standards</h3><h5
id="Index-JSRSupport">JSR Support</h5><ul><li>JAX-WS - Java API for XML-Based
Web Services (JAX-WS) 2.0 - <a shape="rect" class="external-link"
href="http://jcp.org/en/jsr/detail?id=224";
rel="nofollow">JSR-224</a></li><li>Web Services Metadata for the Java Platform
- <a shape="rect" class="external-link"
href="http://jcp.org/en/jsr/detail?id=181";
rel="nofollow">JSR-181</a></li><li>JAX-RS - The Java API for RESTful Web
Services - <a shape="rect" class="external-link"
href="http://jcp.org/en/jsr/detail?id=311"; rel="nofollow">JSR-311,</a> <a
shape="rect" class="external-link" href="https://jcp.org/en/jsr/detail?id=370";
rel="nofollow">JSR-370</a></li><li>SAAJ - SOAP with Attachments API for Java
(SAAJ) - <a shape="rect" class="external-link" href="http://j
cp.org/aboutJava/communityprocess/mrel/jsr067/index3.html"
rel="nofollow">JSR-67</a></li></ul><h5
id="Index-WS-*andrelatedSpecificationsSupport">WS-* and related Specifications
Support</h5><ul><li>Basic support: WS-I Basic Profile 1.1</li><li>Quality of
Service: WS-Reliable Messaging</li><li>Metadata: WS-Policy, WSDL 1.1 - Web
Service Definition Language</li><li>Communication Security: WS-Security,
WS-SecurityPolicy, WS-SecureConversation, WS-Trust (partial
support)</li><li>Messaging Support: WS-Addressing, SOAP 1.1, SOAP 1.2, Message
Transmission Optimization Mechanism (MTOM)</li></ul><h5
id="Index-OpenAPISpecification(OAS)Support">OpenAPI Specification (OAS)
Support</h5><ul><li>OAS 2.0 (classic Swagger specification)</li><li>OAS 3.0.x
(new revised specification)</li></ul><h3
id="Index-MultipleTransports,ProtocolBindings,DataBindings,andFormats">Multiple
Transports, Protocol Bindings, Data Bindings, and
Formats</h3><ul><li>Transports: HTTP, Servlet, JMS, In-VM and many others via t
he <a shape="rect" class="external-link"
href="http://camel.apache.org/camel-transport-for-cxf.html";>Camel transport for
CXF</a> such as SMTP/POP3, TCP and Jabber</li><li>Protocol Bindings: SOAP,
REST/HTTP, pure XML</li><li>Data bindings: JAXB 2.x, Aegis, Apache XMLBeans,
Service Data Objects (SDO), JiBX</li><li>Formats: XML Textual, JSON,
FastInfoset</li><li>Extensibility API allows additional bindings for CXF,
enabling additional message format support such as CORBA/IIOP</li></ul><h3
id="Index-FlexibleDeployment">Flexible Deployment</h3><ul><li>Lightweight
containers: deploy services in Jetty, Tomcat or Spring-based
containers</li><li>JBI integration: deploy as a service engine in a JBI
container such as ServiceMix, OpenESB or Petals</li><li>Java EE integration:
deploy services in Java EE application servers such as Apache Geronimo, JOnAS,
Redhat JBoss, OC4J, Oracle WebLogic, and IBM WebSphere</li><li>Standalone Java
client/server</li></ul><h3 id="Index-SupportforMultipleProgrammi
ngLanguages">Support for Multiple Programming Languages</h3><ul><li>Full
support for JAX-WS 2.x client/server programming model</li><li>JAX-WS 2.x
synchronous, asynchronous and one-way API's</li><li>JAX-WS 2.x Dynamic
Invocation Interface (DII) API</li><li>JAX-RS for RESTful
clients</li><li>Support for wrapped and non-wrapped styles</li><li>XML
messaging API</li><li>Support for JavaScript and ECMAScript 4 XML (E4X) - both
client and server</li><li>Support for CORBA</li><li>Support for JBI with
ServiceMix</li></ul><h3 id="Index-Tooling">Tooling</h3><ul><li>Generating Code:
WSDL to Java, WSDL to JavaScript, Java to JavaScript</li><li>Generating WSDL:
Java to WSDL, XSD to WSDL, IDL to WSDL, WSDL to XML</li><li>Adding Endpoints:
WSDL to SOAP, WSDL to CORBA, WSDL to service</li><li>Generating Support Files:
WSDL to IDL</li><li>Validating Files: WSDL Validation</li></ul><h2
id="Index-GettingInvolved">Getting Involved</h2><p>Apache CXF is currently
under heavy development. To get involved
you can <a shape="rect" href="mailing-lists.html">subscribe to the mailing
lists</a>. You can also grab the code from the <a shape="rect"
href="source-repository.html">Source Repository</a>. You also need to read
about <a shape="rect" href="building.html">Building</a> CXF. For Eclipse users,
you should read about <a shape="rect" href="setting-up-eclipse.html">Setting up
Eclipse</a>.</p></div>
</div>
<!-- Content -->
</td>
Added:
websites/production/cxf/content/security-advisories.data/CVE-2026-44417.txt
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ websites/production/cxf/content/security-advisories.data/CVE-2026-44417.txt
Fri May 22 10:43:09 2026 (r1093054)
@@ -0,0 +1,23 @@
+Apache CXF: Incomplete fix for CVE-2025-48913 (Untrusted JMS configuration can
lead to RCE)
+
+Severity: moderate
+
+Affected versions:
+
+- Apache CXF (org.apache.cxf:cxf-rt-transports-jms) 4.2.0 before 4.2.1
+- Apache CXF (org.apache.cxf:cxf-rt-transports-jms) 4.0.0 before 4.1.6
+- Apache CXF (org.apache.cxf:cxf-rt-transports-jms) before 3.6.11
+
+Description:
+
+The fix for CVE-2025-48913: Apache CXF: Untrusted JMS configuration can lead
to RCE was not complete, meaning that another path in the code might lead to
code execution capabilities, if untrusted users are allowed to configure JMS
for Apache CXF.
+Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix
this issue.
+
+Credit:
+
+Github / twitter - https://github.com/exploitintel / @exploit_intel (finder)
+
+References:
+
+https://cxf.apache.org/
+https://www.cve.org/CVERecord?id=CVE-2026-44417
Added:
websites/production/cxf/content/security-advisories.data/CVE-2026-44618.txt
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ websites/production/cxf/content/security-advisories.data/CVE-2026-44618.txt
Fri May 22 10:43:09 2026 (r1093054)
@@ -0,0 +1,23 @@
+CVE-2026-44618: Apache CXF: XXE vulnerability in WS-Transfer functionality
+
+Severity: important
+
+Affected versions:
+
+- Apache CXF (org.apache.cxf:cxf-rt-ws-transfer) 4.2.0 before 4.2.1
+- Apache CXF (org.apache.cxf:cxf-rt-ws-transfer) 4.0.0 before 4.1.6
+- Apache CXF (org.apache.cxf:cxf-rt-ws-transfer) before 3.6.11
+
+Description:
+
+Insecure XML parser configuration in Apache CXF's WS-Transfer module may allow
attackers to perform XXE attacks.
+Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix
this issue.
+
+Credit:
+
+Credit to IcySun ([email protected]), 广东东方思维科技有限公司 (finder)
+
+References:
+
+https://cxf.apache.org/
+https://www.cve.org/CVERecord?id=CVE-2026-44618
Added:
websites/production/cxf/content/security-advisories.data/CVE-2026-44930.txt
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ websites/production/cxf/content/security-advisories.data/CVE-2026-44930.txt
Fri May 22 10:43:09 2026 (r1093054)
@@ -0,0 +1,18 @@
+CVE-2026-44930: Apache CXF: LDAP Injection vulnerability in XKMS LDAP
Repository
+Severity: important
+
+Affected versions:
+
+- Apache CXF (org.apache.cxf.services.xkms:cxf-services-xkms-x509-repo-ldap)
4.2.0 before 4.2.1
+- Apache CXF (org.apache.cxf.services.xkms:cxf-services-xkms-x509-repo-ldap)
4.0.0 before 4.1.6
+- Apache CXF (org.apache.cxf.services.xkms:cxf-services-xkms-x509-repo-ldap)
before 3.6.11
+
+Description:
+
+An LDAP injection vulnerability in the LDAP Certificate repository of the XKMS
server in Apache CXF may allow an attacker to retrieve arbitrary certificates
from the repository.
+Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix
this issue.
+
+References:
+
+https://cxf.apache.org/
+https://www.cve.org/CVERecord?id=CVE-2026-44930
Modified: websites/production/cxf/content/security-advisories.html
==============================================================================
--- websites/production/cxf/content/security-advisories.html Fri May 22
00:47:06 2026 (r1093053)
+++ websites/production/cxf/content/security-advisories.html Fri May 22
10:43:09 2026 (r1093054)
@@ -85,7 +85,8 @@ Apache CXF -- Security Advisories
<div id="wrapper-menu-page-bottom">
<div id="menu-page">
<!-- NavigationBar -->
-<div id="navigation"><h3 id="Navigation-ApacheCXF"><a shape="rect"
href="index.html">Apache CXF</a></h3><ul class="alternate"><li><a shape="rect"
href="index.html">Home</a></li><li><a shape="rect"
href="download.html">Download</a></li><li><a shape="rect"
href="people.html">People</a></li><li><a shape="rect"
href="project-status.html">Project Status</a></li><li><a shape="rect"
href="roadmap.html">Roadmap</a></li><li><a shape="rect"
href="mailing-lists.html">Mailing Lists</a></li><li><a shape="rect"
class="external-link" href="https://issues.apache.org/jira/browse/CXF";>Issue
Reporting</a></li><li><a shape="rect" href="special-thanks.html">Special
Thanks</a></li><li><a shape="rect" class="external-link"
href="https://www.apache.org/licenses/";>License</a></li><li><a shape="rect"
href="security-advisories.html">Security Advisories</a></li></ul><h3
id="Navigation-Users">Users</h3><ul class="alternate"><li><a shape="rect"
href="https://cxf.apache.org/docs/index.html";>User's Guide</a></li><
li><a shape="rect" href="support.html">Support</a></li><li><a shape="rect"
href="faq.html">FAQ</a></li><li><a shape="rect"
href="resources-and-articles.html">Resources and Articles</a></li></ul><h3
id="Navigation-Search">Search</h3><iframe frameborder="1" scrolling="auto"
id="searchId" src="https://cxf.apache.org/resources/search.htm";
name="SearchIFrame" width="200px" style="border:none;" title="Search"
height="60px"><p><br clear="none"></p></iframe>
+<div id="navigation"><h3 id="Navigation-ApacheCXF"><a shape="rect"
href="index.html">Apache CXF</a></h3><ul class="alternate"><li><a shape="rect"
href="index.html">Home</a></li><li><a shape="rect"
href="download.html">Download</a></li><li><a shape="rect"
href="people.html">People</a></li><li><a shape="rect"
href="project-status.html">Project Status</a></li><li><a shape="rect"
href="roadmap.html">Roadmap</a></li><li><a shape="rect"
href="mailing-lists.html">Mailing Lists</a></li><li><a shape="rect"
class="external-link" href="https://issues.apache.org/jira/browse/CXF";>Issue
Reporting</a></li><li><a shape="rect" href="special-thanks.html">Special
Thanks</a></li><li><a shape="rect" class="external-link"
href="https://www.apache.org/licenses/";>License</a></li><li><a shape="rect"
href="security-advisories.html">Security Advisories</a></li></ul><h3
id="Navigation-Users">Users</h3><ul class="alternate"><li><a shape="rect"
href="https://cxf.apache.org/docs/index.html";>User's Guide</a></li><
li><a shape="rect" href="support.html">Support</a></li><li><a shape="rect"
href="faq.html">FAQ</a></li><li><a shape="rect"
href="resources-and-articles.html">Resources and Articles</a></li></ul><h3
id="Navigation-Search">Search</h3>
+<iframe frameborder="1" scrolling="auto" id="searchId"
src="https://cxf.apache.org/resources/search.htm"; sandbox="sandbox"
name="SearchIFrame" width="200px" style="border:none;" title="Search"
height="60px"></iframe>
<h3 id="Navigation-Developers">Developers</h3><ul class="alternate"><li><a
shape="rect"
href="https://cxf.apache.org/docs/cxf-architecture.html";>Architecture
Guide</a></li><li><a shape="rect" href="source-repository.html">Source
Repository</a></li><li><a shape="rect"
href="building.html">Building</a></li><li><a shape="rect"
href="automated-builds.html">Automated Builds</a></li><li><a shape="rect"
href="testing-debugging.html">Testing-Debugging</a></li><li><a shape="rect"
href="coding-guidelines.html">Coding Guidelines</a></li><li><a shape="rect"
href="getting-involved.html">Getting Involved</a></li><li><a shape="rect"
href="release-management.html">Release Management</a></li></ul><h3
id="Navigation-Subprojects">Subprojects</h3><ul class="alternate"><li><a
shape="rect" href="distributed-osgi.html">Distributed OSGi</a></li><li><a
shape="rect" href="xjc-utils.html">XJC Utils</a></li><li><a shape="rect"
href="build-utils.html">Build Utils</a></li><li><a shape="rect"
href="fediz.html">Fe
diz</a></li></ul><h3 id="Navigation-ASF"><a shape="rect" class="external-link"
href="http://www.apache.org";>ASF</a></h3><ul class="alternate"><li><a
shape="rect" class="external-link"
href="https://www.apache.org/foundation/how-it-works.html";>How Apache
Works</a></li><li><a shape="rect" class="external-link"
href="https://www.apache.org/foundation/";>Foundation</a></li><li><a
shape="rect" class="external-link"
href="https://www.apache.org/foundation/sponsorship.html";>Sponsor
Apache</a></li><li><a shape="rect" class="external-link"
href="https://www.apache.org/foundation/thanks.html";>Thanks</a></li><li><a
shape="rect" class="external-link"
href="https://www.apache.org/security/";>Security</a></li></ul><p><br
clear="none"></p><p><a shape="rect" class="external-link"
href="https://www.apache.org/events/current-event.html";> <span
class="confluence-embedded-file-wrapper"><img class="confluence-embedded-image
confluence-external-resource" draggable="false"
src="https://www.apache.org/events
/current-event-125x125.png"
data-image-src="https://www.apache.org/events/current-event-125x125.png";></span>
</a></p></div>
@@ -98,7 +99,7 @@ Apache CXF -- Security Advisories
<td height="100%">
<!-- Content -->
<div class="wiki-content">
-<div id="ConfluenceContent"><p><span style="color: rgb(36,41,47);">For
information on how to report a new security problem please
see<span> </span></span><a shape="rect" class="external-link"
href="https://www.apache.org/security/"; style="text-decoration:
none;">here</a><span style="color:
rgb(36,41,47);">.<span> </span></span></p><h3
id="SecurityAdvisories-2025">2025</h3><ul><li><a shape="rect"
href="security-advisories.data/CVE-2025-23184.txt?version=2&modificationDate=1737381863000&api=v2"
data-linked-resource-id="340036025" data-linked-resource-version="2"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2025-23184.txt" data-nice-type="Text
File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502"
data-linked-resource-container-version="53">CVE-2025-23184</a>: Apache CXF:
Denial of Service vulnerability with temporary files </li><li><a
shape="rect" href="security-advisories.data/CVE-2025
-48795.txt?version=1&modificationDate=1752578416000&api=v2"
data-linked-resource-id="373886120" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2025-48795.txt" data-nice-type="Text
File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502"
data-linked-resource-container-version="53">CVE-2025-48795</a>: Apache CXF:
Denial of Service and sensitive data exposure in logs </li><li><a
shape="rect"
href="security-advisories.data/CVE-2025-48913.txt?version=1&modificationDate=1754576095225&api=v2"
data-linked-resource-id="373887565" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2025-48913.txt" data-nice-type="Text
File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502"
data-linked-resource-container-version="53">CVE-2025-48913</a>: Apache CXF:
Untrusted JMS config
uration can lead to RCE </li></ul><h3
id="SecurityAdvisories-2024">2024</h3><ul><li><a shape="rect"
href="security-advisories.data/CVE-2024-28752.txt?version=2&modificationDate=1710431346000&api=v2"
data-linked-resource-id="296290905" data-linked-resource-version="2"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2024-28752.txt" data-nice-type="Text
File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502"
data-linked-resource-container-version="53">CVE-2024-28752</a>: Apache CXF SSRF
Vulnerability using the Aegis databinding </li><li><a shape="rect"
href="security-advisories.data/CVE-2024-29736.txt?version=1&modificationDate=1721314668000&api=v2"
data-linked-resource-id="315493016" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2024-29736.txt" data-nice-type="Text
File" data-linked-resource-content-type="text/plain" data-
linked-resource-container-id="27837502"
data-linked-resource-container-version="53">CVE-2024-29736</a>: SSRF
vulnerability via WADL stylesheet parameter</li><li><a shape="rect"
href="security-advisories.data/CVE-2024-32007.txt?version=1&modificationDate=1721314761000&api=v2"
data-linked-resource-id="315493017" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2024-32007.txt" data-nice-type="Text
File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502"
data-linked-resource-container-version="53">CVE-2024-32007</a>: Apache CXF
Denial of Service vulnerability in JOSE</li><li><a shape="rect"
href="security-advisories.data/CVE-2024-41172.txt?version=1&modificationDate=1721314821000&api=v2"
data-linked-resource-id="315493018" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2024-41172.txt" data-nice-type="Text
File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502"
data-linked-resource-container-version="53">CVE-2024-41172</a>: Unrestricted
memory consumption in CXF HTTP clients</li></ul><h3
id="SecurityAdvisories-2022">2022</h3><ul><li><a shape="rect"
href="security-advisories.data/CVE-2022-46363.txt?version=1&modificationDate=1670942001000&api=v2"
data-linked-resource-id="235836918" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2022-46363.txt" data-nice-type="Text
File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502"
data-linked-resource-container-version="53">CVE-2022-46363</a>: Apache CXF
directory listing / code exfiltration</li><li><a shape="rect"
href="security-advisories.data/CVE-2022-46364.txt?version=1&modificationDate=1670944473000&api=v2"
data-linked-resource-id="235836926" data-linked-resource-version="1" data
-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2022-46364.txt" data-nice-type="Text
File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502"
data-linked-resource-container-version="53">CVE-2022-46364</a>: Apache CXF SSRF
Vulnerability</li></ul><h3 id="SecurityAdvisories-2021">2021</h3><ul><li><a
shape="rect"
href="security-advisories.data/CVE-2021-30468.txt.asc?version=1&modificationDate=1623835370000&api=v2"
data-linked-resource-id="181310680" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2021-30468.txt.asc"
data-nice-type="Text File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502"
data-linked-resource-container-version="53">CVE-2021-30468</a>: Apache CXF
Denial of service vulnerability in parsing JSON via
JsonMapObjectReaderWriter</li><li><a shape="rect"
href="security-advisories.data/CVE-2021-226
96.txt.asc?version=1&modificationDate=1617355743000&api=v2"
data-linked-resource-id="177049091" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2021-22696.txt.asc"
data-nice-type="Text File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502"
data-linked-resource-container-version="53">CVE-2021-22696</a>: OAuth 2
authorization service vulnerable to DDos attacks</li></ul><h3
id="SecurityAdvisories-2020">2020</h3><ul><li><a shape="rect"
href="security-advisories.data/CVE-2020-13954.txt.asc?version=1&modificationDate=1605183671000&api=v2"
data-linked-resource-id="165225095" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2020-13954.txt.asc"
data-nice-type="Text File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502"
data-linked-resource-container-version="53">CVE-
2020-13954</a>: Apache CXF Reflected XSS in the services listing page via the
styleSheetPath</li><li><a shape="rect"
href="security-advisories.data/CVE-2020-1954.txt.asc?version=1&modificationDate=1585730169000&api=v2"
data-linked-resource-id="148645097" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2020-1954.txt.asc" data-nice-type="Text
File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502"
data-linked-resource-container-version="53">CVE-2020-1954</a>: Apache CXF JMX
Integration is vulnerable to a MITM attack</li></ul><h3
id="SecurityAdvisories-2019">2019</h3><ul><li><a shape="rect"
href="security-advisories.data/CVE-2019-17573.txt.asc?version=2&modificationDate=1584610519000&api=v2"
data-linked-resource-id="145722246" data-linked-resource-version="2"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2019-17573.txt.asc" data-nice
-type="Text File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502"
data-linked-resource-container-version="53">CVE-2019-17573</a>: Apache CXF
Reflected XSS in the services listing page</li><li><a shape="rect"
href="security-advisories.data/CVE-2019-12423.txt.asc?version=1&modificationDate=1579178393000&api=v2"
data-linked-resource-id="145722244" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2019-12423.txt.asc"
data-nice-type="Text File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502"
data-linked-resource-container-version="53">CVE-2019-12423</a>: Apache CXF
OpenId Connect JWK Keys service returns private/secret credentials if
configured with a jwk keystore</li><li><a shape="rect"
href="security-advisories.data/CVE-2019-12419.txt.asc?version=2&modificationDate=1572961201000&api=v2"
data-linked-resource-id="135859612"
data-linked-resource-version="2" data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2019-12419.txt.asc"
data-nice-type="Text File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502"
data-linked-resource-container-version="53">CVE-2019-12419</a>: Apache CXF
OpenId Connect token service does not properly validate the clientId</li><li><a
shape="rect"
href="security-advisories.data/CVE-2019-12406.txt.asc?version=1&modificationDate=1572957147000&api=v2"
data-linked-resource-id="135859607" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2019-12406.txt.asc"
data-nice-type="Text File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502"
data-linked-resource-container-version="53">CVE-2019-12406</a>: Apache CXF does
not restrict the number of message attachments</li></ul><h3
id="SecurityAdvisories-2018">2018</h3><u
l><li><a shape="rect"
href="security-advisories.data/CVE-2018-8039.txt.asc?version=1&modificationDate=1530184663000&api=v2"
data-linked-resource-id="87296645" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2018-8039.txt.asc" data-nice-type="Text
File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502"
data-linked-resource-container-version="53">CVE-2018-8039</a>: Apache CXF TLS
hostname verification does not work correctly with com.sun.net.ssl.</li><li><a
shape="rect"
href="security-advisories.data/CVE-2018-8038.txt.asc?version=1&modificationDate=1530712328000&api=v2"
data-linked-resource-id="87297524" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2018-8038.txt.asc" data-nice-type="Text
File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502" data-linked-res
ource-container-version="53">CVE-2018-8038</a>: Apache CXF Fediz is vulnerable
to DTD based XML attacks</li></ul><h3
id="SecurityAdvisories-2017">2017</h3><ul><li><a shape="rect"
href="security-advisories.data/CVE-2017-12631.txt.asc?version=1&modificationDate=1512037276000&api=v2"
data-linked-resource-id="74688816" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2017-12631.txt.asc"
data-nice-type="Text File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502"
data-linked-resource-container-version="53">CVE-2017-12631</a>: CSRF
vulnerabilities in the Apache CXF Fediz Spring plugins.</li><li><a shape="rect"
href="security-advisories.data/CVE-2017-12624.txt.asc?version=1&modificationDate=1510661632000&api=v2"
data-linked-resource-id="74687100" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2017-12624.txt
.asc" data-nice-type="Text File"
data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502"
data-linked-resource-container-version="53">CVE-2017-12624</a>: Apache CXF web
services that process attachments are vulnerable to Denial of Service (DoS)
attacks.</li><li><a shape="rect"
href="security-advisories.data/CVE-2017-7662.txt.asc?version=1&modificationDate=1494949377000&api=v2"
data-linked-resource-id="70255583" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2017-7662.txt.asc" data-nice-type="Text
File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502"
data-linked-resource-container-version="53">CVE-2017-7662</a>: The Apache CXF
Fediz OIDC Client Registration Service is vulnerable to CSRF
attacks.</li><li><a shape="rect"
href="security-advisories.data/CVE-2017-7661.txt.asc?version=1&modificationDate=1494949364000&api=v2"
data-li
nked-resource-id="70255582" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2017-7661.txt.asc" data-nice-type="Text
File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502"
data-linked-resource-container-version="53">CVE-2017-7661</a>: The Apache CXF
Fediz Jetty and Spring plugins are vulnerable to CSRF attacks.</li><li><a
shape="rect"
href="security-advisories.data/CVE-2017-5656.txt.asc?version=1&modificationDate=1492515113000&api=v2"
data-linked-resource-id="69406543" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2017-5656.txt.asc" data-nice-type="Text
File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502"
data-linked-resource-container-version="53">CVE-2017-5656</a>: Apache CXF's
STSClient uses a flawed way of caching tokens that are associated with
delegation t
okens.</li><li><a shape="rect"
href="security-advisories.data/CVE-2017-5653.txt.asc?version=1&modificationDate=1492515074000&api=v2"
data-linked-resource-id="69406542" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2017-5653.txt.asc" data-nice-type="Text
File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502"
data-linked-resource-container-version="53">CVE-2017-5653</a>: Apache CXF
JAX-RS XML Security streaming clients do not validate that the service response
was signed or encrypted.</li><li><a shape="rect"
href="security-advisories.data/CVE-2017-3156.txt.asc?version=1&modificationDate=1487590374000&api=v2"
data-linked-resource-id="68715428" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2017-3156.txt.asc" data-nice-type="Text
File" data-linked-resource-content-type="text/plain" data-linked-resour
ce-container-id="27837502"
data-linked-resource-container-version="53">CVE-2017-3156</a>: Apache CXF
OAuth2 Hawk and JOSE MAC Validation code is vulnerable to the timing
attacks</li></ul><h3 id="SecurityAdvisories-2016">2016</h3><ul><li><a
shape="rect"
href="security-advisories.data/CVE-2016-8739.txt.asc?version=1&modificationDate=1482164360000&api=v2"
data-linked-resource-id="67635454" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2016-8739.txt.asc" data-nice-type="Text
File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502"
data-linked-resource-container-version="53">CVE-2016-8739</a>: Atom entity
provider of Apache CXF JAX-RS is vulnerable to XXE</li><li><a shape="rect"
href="security-advisories.data/CVE-2016-6812.txt.asc?version=1&modificationDate=1482164360000&api=v2"
data-linked-resource-id="67635455" data-linked-resource-version="1"
data-linked-resource-
type="attachment" data-linked-resource-default-alias="CVE-2016-6812.txt.asc"
data-nice-type="Text File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502"
data-linked-resource-container-version="53">CVE-2016-6812</a>: XSS risk in
Apache CXF FormattedServiceListWriter when a request URL contains matrix
parameters</li><li><a shape="rect"
href="security-advisories.data/CVE-2016-4464.txt.asc?version=1&modificationDate=1473350153000&api=v2"
data-linked-resource-id="65869472" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2016-4464.txt.asc" data-nice-type="Text
File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502"
data-linked-resource-container-version="53">CVE-2016-4464</a>: Apache CXF Fediz
application plugins do not match the SAML AudienceRestriction values against
the list of configured audience URIs</li></ul><h3 id="SecurityAdvi
sories-2015">2015</h3><ul><li><a shape="rect"
href="security-advisories.data/CVE-2015-5253.txt.asc?version=1&modificationDate=1447433340000&api=v2"
data-linked-resource-id="61328642" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2015-5253.txt.asc" data-nice-type="Text
File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502"
data-linked-resource-container-version="53">CVE-2015-5253</a>: Apache CXF SAML
SSO processing is vulnerable to a wrapping attack</li><li><a shape="rect"
href="security-advisories.data/CVE-2015-5175.txt.asc?version=1&modificationDate=1440598018000&api=v2"
data-linked-resource-id="61316328" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2015-5175.txt.asc" data-nice-type="Text
File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502" data-lin
ked-resource-container-version="53">CVE-2015-5175</a>: Apache CXF Fediz
application plugins are vulnerable to Denial of Service (DoS)
attacks</li></ul><h3 id="SecurityAdvisories-2014">2014</h3><ul><li><a
shape="rect"
href="security-advisories.data/CVE-2014-3577.txt.asc?version=1&modificationDate=1419245371000&api=v2"
data-linked-resource-id="51183657" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2014-3577.txt.asc" data-nice-type="Text
File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502"
data-linked-resource-container-version="53">CVE-2014-3577</a>: Apache CXF SSL
hostname verification bypass</li><li><a shape="rect"
href="security-advisories.data/CVE-2014-3566.txt.asc?version=1&modificationDate=1418740474000&api=v2"
data-linked-resource-id="50561078" data-linked-resource-version="1"
data-linked-resource-type="attachment" data-linked-resource-default-alias="C
VE-2014-3566.txt.asc" data-nice-type="Text File"
data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502"
data-linked-resource-container-version="53">Note on CVE-2014-3566</a>: SSL 3.0
support in Apache CXF, aka the "POODLE" attack.</li><li><a shape="rect"
href="security-advisories.data/CVE-2014-3623.txt.asc?version=1&modificationDate=1414169368000&api=v2"
data-linked-resource-id="47743195" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2014-3623.txt.asc" data-nice-type="Text
File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502"
data-linked-resource-container-version="53">CVE-2014-3623</a>: Apache CXF does
not properly enforce the security semantics of SAML SubjectConfirmation methods
when used with the TransportBinding</li><li><a shape="rect"
href="security-advisories.data/CVE-2014-3584.txt.asc?version=1&modificationDate=1414169
326000&api=v2" data-linked-resource-id="47743194"
data-linked-resource-version="1" data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2014-3584.txt.asc" data-nice-type="Text
File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502"
data-linked-resource-container-version="53">CVE-2014-3584</a>: Apache CXF
JAX-RS SAML handling is vulnerable to a Denial of Service (DoS)
attack</li><li><a shape="rect"
href="security-advisories.data/CVE-2014-0109.txt.asc?version=1&modificationDate=1398873370000&api=v2"
data-linked-resource-id="40895138" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2014-0109.txt.asc" data-nice-type="Text
File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502"
data-linked-resource-container-version="53">CVE-2014-0109</a>: HTML content
posted to SOAP endpoint could cause OOM errors</li><l
i><a shape="rect"
href="security-advisories.data/CVE-2014-0110.txt.asc?version=1&modificationDate=1398873378000&api=v2"
data-linked-resource-id="40895139" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2014-0110.txt.asc" data-nice-type="Text
File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502"
data-linked-resource-container-version="53">CVE-2014-0110</a>: Large invalid
content could cause temporary space to fill</li><li><a shape="rect"
href="security-advisories.data/CVE-2014-0034.txt.asc?version=1&modificationDate=1398873385000&api=v2"
data-linked-resource-id="40895140" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2014-0034.txt.asc" data-nice-type="Text
File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502"
data-linked-resource-container-version="53">
CVE-2014-0034</a>: The SecurityTokenService accepts certain invalid SAML
Tokens as valid</li><li><a shape="rect"
href="security-advisories.data/CVE-2014-0035.txt.asc?version=1&modificationDate=1398873391000&api=v2"
data-linked-resource-id="40895141" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2014-0035.txt.asc" data-nice-type="Text
File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502"
data-linked-resource-container-version="53">CVE-2014-0035</a>: UsernameTokens
are sent in plaintext with a Symmetric EncryptBeforeSigning policy</li></ul><h3
id="SecurityAdvisories-2013">2013</h3><ul><li><a shape="rect"
href="security-advisories.data/CVE-2013-2160.txt.asc?version=1&modificationDate=1372324301000&api=v2"
data-linked-resource-id="33095710" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2013-2160.tx
t.asc" data-nice-type="Text File"
data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502"
data-linked-resource-container-version="53">CVE-2013-2160</a> - Denial of
Service Attacks on Apache CXF</li><li><a shape="rect"
href="cve-2012-5575.html">Note on CVE-2012-5575</a> - XML Encryption backwards
compatibility attack on Apache CXF.</li><li><a shape="rect"
href="cve-2013-0239.html">CVE-2013-0239</a> - Authentication bypass in the case
of WS-SecurityPolicy enabled plaintext UsernameTokens.</li></ul><h3
id="SecurityAdvisories-2012">2012</h3><ul><li><a shape="rect"
href="cve-2012-5633.html">CVE-2012-5633</a> - WSS4JInInterceptor always allows
HTTP Get requests from browser.</li><li><a shape="rect"
href="note-on-cve-2011-2487.html">Note on CVE-2011-2487</a> - Bleichenbacher
attack against distributed symmetric key in WS-Security.</li><li><a
shape="rect" href="cve-2012-3451.html">CVE-2012-3451</a> - Apache CXF is
vulnerable to SOAP Action spoofing attack
s on Document Literal web services.</li><li><a shape="rect"
href="cve-2012-2379.html">CVE-2012-2379</a> - Apache CXF does not verify that
elements were signed or encrypted by a particular Supporting Token.</li><li><a
shape="rect" href="cve-2012-2378.html">CVE-2012-2378</a> - Apache CXF does not
pick up some child policies of WS-SecurityPolicy 1.1 SupportingToken policy
assertions on the client side.</li><li><a shape="rect"
href="note-on-cve-2011-1096.html">Note on CVE-2011-1096</a> - XML Encryption
flaw / Character pattern encoding attack.</li><li><a shape="rect"
href="cve-2012-0803.html">CVE-2012-0803</a> - Apache CXF does not validate
UsernameToken policies correctly.</li></ul><h3
id="SecurityAdvisories-2010">2010</h3><ul><li><a shape="rect"
class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/security/CVE-2010-2076.pdf";>CVE-2010-2076</a>
- DTD based XML attacks.</li></ul><p><br clear="none"></p></div>
+<div id="ConfluenceContent"><p><span style="color: rgb(36,41,47);">For
information on how to report a new security problem please
see<span> </span></span><a shape="rect" class="external-link"
href="https://www.apache.org/security/"; style="text-decoration:
none;">here</a><span style="color:
rgb(36,41,47);">.<span> </span></span></p><h3
id="SecurityAdvisories-2026">2026</h3><ul><li><a shape="rect"
href="security-advisories.data/CVE-2026-44417.txt?version=1&modificationDate=1779445819000&api=v2"
data-linked-resource-id="429064531" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2026-44417.txt" data-nice-type="Text
File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502"
data-linked-resource-container-version="55">CVE-2026-44417</a>: Apache
CXF:Incomplete fix for CVE-2025-48913 (Untrusted JMS configuration can lead to
RCE)</li><li><a shape="rect" href="security-advi
sories.data/CVE-2026-44618.txt?version=1&modificationDate=1779445877000&api=v2"
data-linked-resource-id="429064532" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2026-44618.txt" data-nice-type="Text
File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502"
data-linked-resource-container-version="55">CVE-2026-44618</a>: Apache CXF: XXE
vulnerability in WS-Transfer functionality</li><li><a shape="rect"
href="security-advisories.data/CVE-2026-44930.txt?version=1&modificationDate=1779445722000&api=v2"
data-linked-resource-id="429064529" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2026-44930.txt" data-nice-type="Text
File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502"
data-linked-resource-container-version="55">CVE-2026-44930</a>: Apache CXF:
LDAP Injectio
n vulnerability in XKMS LDAP Repository</li></ul><h3
id="SecurityAdvisories-2025">2025</h3><ul><li><a shape="rect"
href="security-advisories.data/CVE-2025-23184.txt?version=2&modificationDate=1737381863000&api=v2"
data-linked-resource-id="340036025" data-linked-resource-version="2"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2025-23184.txt" data-nice-type="Text
File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502"
data-linked-resource-container-version="55">CVE-2025-23184</a>: Apache CXF:
Denial of Service vulnerability with temporary files </li><li><a
shape="rect"
href="security-advisories.data/CVE-2025-48795.txt?version=1&modificationDate=1752578416000&api=v2"
data-linked-resource-id="373886120" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2025-48795.txt" data-nice-type="Text
File" data-linked-resource-content-type="
text/plain" data-linked-resource-container-id="27837502"
data-linked-resource-container-version="55">CVE-2025-48795</a>: Apache CXF:
Denial of Service and sensitive data exposure in logs </li><li><a
shape="rect"
href="security-advisories.data/CVE-2025-48913.txt?version=1&modificationDate=1754576095000&api=v2"
data-linked-resource-id="373887565" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2025-48913.txt" data-nice-type="Text
File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502"
data-linked-resource-container-version="55">CVE-2025-48913</a>: Apache CXF:
Untrusted JMS configuration can lead to RCE </li></ul><h3
id="SecurityAdvisories-2024">2024</h3><ul><li><a shape="rect"
href="security-advisories.data/CVE-2024-28752.txt?version=2&modificationDate=1710431346000&api=v2"
data-linked-resource-id="296290905" data-linked-resource-version="2"
data-linked-r
esource-type="attachment"
data-linked-resource-default-alias="CVE-2024-28752.txt" data-nice-type="Text
File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502"
data-linked-resource-container-version="55">CVE-2024-28752</a>: Apache CXF SSRF
Vulnerability using the Aegis databinding </li><li><a shape="rect"
href="security-advisories.data/CVE-2024-29736.txt?version=1&modificationDate=1721314668000&api=v2"
data-linked-resource-id="315493016" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2024-29736.txt" data-nice-type="Text
File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502"
data-linked-resource-container-version="55">CVE-2024-29736</a>: SSRF
vulnerability via WADL stylesheet parameter</li><li><a shape="rect"
href="security-advisories.data/CVE-2024-32007.txt?version=1&modificationDate=1721314761000&api=v2"
data-linke
d-resource-id="315493017" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2024-32007.txt" data-nice-type="Text
File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502"
data-linked-resource-container-version="55">CVE-2024-32007</a>: Apache CXF
Denial of Service vulnerability in JOSE</li><li><a shape="rect"
href="security-advisories.data/CVE-2024-41172.txt?version=1&modificationDate=1721314821000&api=v2"
data-linked-resource-id="315493018" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2024-41172.txt" data-nice-type="Text
File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502"
data-linked-resource-container-version="55">CVE-2024-41172</a>: Unrestricted
memory consumption in CXF HTTP clients</li></ul><h3
id="SecurityAdvisories-2022">2022</h3><ul><li><a shape="rect" href
="security-advisories.data/CVE-2022-46363.txt?version=1&modificationDate=1670942001000&api=v2"
data-linked-resource-id="235836918" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2022-46363.txt" data-nice-type="Text
File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502"
data-linked-resource-container-version="55">CVE-2022-46363</a>: Apache CXF
directory listing / code exfiltration</li><li><a shape="rect"
href="security-advisories.data/CVE-2022-46364.txt?version=1&modificationDate=1670944473000&api=v2"
data-linked-resource-id="235836926" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2022-46364.txt" data-nice-type="Text
File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502"
data-linked-resource-container-version="55">CVE-2022-46364</a>: Apache CXF SSRF
Vuln
erability</li></ul><h3 id="SecurityAdvisories-2021">2021</h3><ul><li><a
shape="rect"
href="security-advisories.data/CVE-2021-30468.txt.asc?version=1&modificationDate=1623835370000&api=v2"
data-linked-resource-id="181310680" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2021-30468.txt.asc"
data-nice-type="Text File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502"
data-linked-resource-container-version="55">CVE-2021-30468</a>: Apache CXF
Denial of service vulnerability in parsing JSON via
JsonMapObjectReaderWriter</li><li><a shape="rect"
href="security-advisories.data/CVE-2021-22696.txt.asc?version=1&modificationDate=1617355743000&api=v2"
data-linked-resource-id="177049091" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2021-22696.txt.asc"
data-nice-type="Text File" data-linked-resource-content-ty
pe="text/plain" data-linked-resource-container-id="27837502"
data-linked-resource-container-version="55">CVE-2021-22696</a>: OAuth 2
authorization service vulnerable to DDos attacks</li></ul><h3
id="SecurityAdvisories-2020">2020</h3><ul><li><a shape="rect"
href="security-advisories.data/CVE-2020-13954.txt.asc?version=1&modificationDate=1605183671000&api=v2"
data-linked-resource-id="165225095" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2020-13954.txt.asc"
data-nice-type="Text File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502"
data-linked-resource-container-version="55">CVE-2020-13954</a>: Apache CXF
Reflected XSS in the services listing page via the styleSheetPath</li><li><a
shape="rect"
href="security-advisories.data/CVE-2020-1954.txt.asc?version=1&modificationDate=1585730169000&api=v2"
data-linked-resource-id="148645097" data-linked-resource-version="1
" data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2020-1954.txt.asc" data-nice-type="Text
File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502"
data-linked-resource-container-version="55">CVE-2020-1954</a>: Apache CXF JMX
Integration is vulnerable to a MITM attack</li></ul><h3
id="SecurityAdvisories-2019">2019</h3><ul><li><a shape="rect"
href="security-advisories.data/CVE-2019-17573.txt.asc?version=2&modificationDate=1584610519000&api=v2"
data-linked-resource-id="145722246" data-linked-resource-version="2"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2019-17573.txt.asc"
data-nice-type="Text File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502"
data-linked-resource-container-version="55">CVE-2019-17573</a>: Apache CXF
Reflected XSS in the services listing page</li><li><a shape="rect"
href="security-advisories.data/CVE-2019-12
423.txt.asc?version=1&modificationDate=1579178393000&api=v2"
data-linked-resource-id="145722244" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2019-12423.txt.asc"
data-nice-type="Text File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502"
data-linked-resource-container-version="55">CVE-2019-12423</a>: Apache CXF
OpenId Connect JWK Keys service returns private/secret credentials if
configured with a jwk keystore</li><li><a shape="rect"
href="security-advisories.data/CVE-2019-12419.txt.asc?version=2&modificationDate=1572961201000&api=v2"
data-linked-resource-id="135859612" data-linked-resource-version="2"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2019-12419.txt.asc"
data-nice-type="Text File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502"
data-linked-resource-container-version="55"
>CVE-2019-12419</a>: Apache CXF OpenId Connect token service does not properly
>validate the clientId</li><li><a shape="rect"
>href="security-advisories.data/CVE-2019-12406.txt.asc?version=1&modificationDate=1572957147000&api=v2"
> data-linked-resource-id="135859607" data-linked-resource-version="1"
>data-linked-resource-type="attachment"
>data-linked-resource-default-alias="CVE-2019-12406.txt.asc"
>data-nice-type="Text File" data-linked-resource-content-type="text/plain"
>data-linked-resource-container-id="27837502"
>data-linked-resource-container-version="55">CVE-2019-12406</a>: Apache CXF
>does not restrict the number of message attachments</li></ul><h3
>id="SecurityAdvisories-2018">2018</h3><ul><li><a shape="rect"
>href="security-advisories.data/CVE-2018-8039.txt.asc?version=1&modificationDate=1530184663000&api=v2"
> data-linked-resource-id="87296645" data-linked-resource-version="1"
>data-linked-resource-type="attachment"
>data-linked-resource-default-alias="CVE-2018-8039.txt.a
sc" data-nice-type="Text File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502"
data-linked-resource-container-version="55">CVE-2018-8039</a>: Apache CXF TLS
hostname verification does not work correctly with com.sun.net.ssl.</li><li><a
shape="rect"
href="security-advisories.data/CVE-2018-8038.txt.asc?version=1&modificationDate=1530712328000&api=v2"
data-linked-resource-id="87297524" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2018-8038.txt.asc" data-nice-type="Text
File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502"
data-linked-resource-container-version="55">CVE-2018-8038</a>: Apache CXF Fediz
is vulnerable to DTD based XML attacks</li></ul><h3
id="SecurityAdvisories-2017">2017</h3><ul><li><a shape="rect"
href="security-advisories.data/CVE-2017-12631.txt.asc?version=1&modificationDate=1512037276000&api=v2"
data
-linked-resource-id="74688816" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2017-12631.txt.asc"
data-nice-type="Text File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502"
data-linked-resource-container-version="55">CVE-2017-12631</a>: CSRF
vulnerabilities in the Apache CXF Fediz Spring plugins.</li><li><a shape="rect"
href="security-advisories.data/CVE-2017-12624.txt.asc?version=1&modificationDate=1510661632000&api=v2"
data-linked-resource-id="74687100" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2017-12624.txt.asc"
data-nice-type="Text File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502"
data-linked-resource-container-version="55">CVE-2017-12624</a>: Apache CXF web
services that process attachments are vulnerable to Denial of Service (DoS)
attacks.</li><
li><a shape="rect"
href="security-advisories.data/CVE-2017-7662.txt.asc?version=1&modificationDate=1494949377000&api=v2"
data-linked-resource-id="70255583" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2017-7662.txt.asc" data-nice-type="Text
File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502"
data-linked-resource-container-version="55">CVE-2017-7662</a>: The Apache CXF
Fediz OIDC Client Registration Service is vulnerable to CSRF
attacks.</li><li><a shape="rect"
href="security-advisories.data/CVE-2017-7661.txt.asc?version=1&modificationDate=1494949364000&api=v2"
data-linked-resource-id="70255582" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2017-7661.txt.asc" data-nice-type="Text
File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502" data-linked-reso
urce-container-version="55">CVE-2017-7661</a>: The Apache CXF Fediz Jetty and
Spring plugins are vulnerable to CSRF attacks.</li><li><a shape="rect"
href="security-advisories.data/CVE-2017-5656.txt.asc?version=1&modificationDate=1492515113000&api=v2"
data-linked-resource-id="69406543" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2017-5656.txt.asc" data-nice-type="Text
File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502"
data-linked-resource-container-version="55">CVE-2017-5656</a>: Apache CXF's
STSClient uses a flawed way of caching tokens that are associated with
delegation tokens.</li><li><a shape="rect"
href="security-advisories.data/CVE-2017-5653.txt.asc?version=1&modificationDate=1492515074000&api=v2"
data-linked-resource-id="69406542" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2017-5
653.txt.asc" data-nice-type="Text File"
data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502"
data-linked-resource-container-version="55">CVE-2017-5653</a>: Apache CXF
JAX-RS XML Security streaming clients do not validate that the service response
was signed or encrypted.</li><li><a shape="rect"
href="security-advisories.data/CVE-2017-3156.txt.asc?version=1&modificationDate=1487590374000&api=v2"
data-linked-resource-id="68715428" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2017-3156.txt.asc" data-nice-type="Text
File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502"
data-linked-resource-container-version="55">CVE-2017-3156</a>: Apache CXF
OAuth2 Hawk and JOSE MAC Validation code is vulnerable to the timing
attacks</li></ul><h3 id="SecurityAdvisories-2016">2016</h3><ul><li><a
shape="rect" href="security-advisories.data/CVE-2016-8
739.txt.asc?version=1&modificationDate=1482164360000&api=v2"
data-linked-resource-id="67635454" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2016-8739.txt.asc" data-nice-type="Text
File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502"
data-linked-resource-container-version="55">CVE-2016-8739</a>: Atom entity
provider of Apache CXF JAX-RS is vulnerable to XXE</li><li><a shape="rect"
href="security-advisories.data/CVE-2016-6812.txt.asc?version=1&modificationDate=1482164360000&api=v2"
data-linked-resource-id="67635455" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2016-6812.txt.asc" data-nice-type="Text
File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502"
data-linked-resource-container-version="55">CVE-2016-6812</a>: XSS risk in
Apache CXF FormattedSer
viceListWriter when a request URL contains matrix parameters</li><li><a
shape="rect"
href="security-advisories.data/CVE-2016-4464.txt.asc?version=1&modificationDate=1473350153000&api=v2"
data-linked-resource-id="65869472" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2016-4464.txt.asc" data-nice-type="Text
File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502"
data-linked-resource-container-version="55">CVE-2016-4464</a>: Apache CXF Fediz
application plugins do not match the SAML AudienceRestriction values against
the list of configured audience URIs</li></ul><h3
id="SecurityAdvisories-2015">2015</h3><ul><li><a shape="rect"
href="security-advisories.data/CVE-2015-5253.txt.asc?version=1&modificationDate=1447433340000&api=v2"
data-linked-resource-id="61328642" data-linked-resource-version="1"
data-linked-resource-type="attachment" data-linked-resource-default-al
ias="CVE-2015-5253.txt.asc" data-nice-type="Text File"
data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502"
data-linked-resource-container-version="55">CVE-2015-5253</a>: Apache CXF SAML
SSO processing is vulnerable to a wrapping attack</li><li><a shape="rect"
href="security-advisories.data/CVE-2015-5175.txt.asc?version=1&modificationDate=1440598018000&api=v2"
data-linked-resource-id="61316328" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2015-5175.txt.asc" data-nice-type="Text
File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502"
data-linked-resource-container-version="55">CVE-2015-5175</a>: Apache CXF Fediz
application plugins are vulnerable to Denial of Service (DoS)
attacks</li></ul><h3 id="SecurityAdvisories-2014">2014</h3><ul><li><a
shape="rect"
href="security-advisories.data/CVE-2014-3577.txt.asc?version=1&modificati
onDate=1419245371000&api=v2" data-linked-resource-id="51183657"
data-linked-resource-version="1" data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2014-3577.txt.asc" data-nice-type="Text
File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502"
data-linked-resource-container-version="55">CVE-2014-3577</a>: Apache CXF SSL
hostname verification bypass</li><li><a shape="rect"
href="security-advisories.data/CVE-2014-3566.txt.asc?version=1&modificationDate=1418740474000&api=v2"
data-linked-resource-id="50561078" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2014-3566.txt.asc" data-nice-type="Text
File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502"
data-linked-resource-container-version="55">Note on CVE-2014-3566</a>: SSL 3.0
support in Apache CXF, aka the "POODLE" attack.</li><li><a shape="rect" hr
ef="security-advisories.data/CVE-2014-3623.txt.asc?version=1&modificationDate=1414169368000&api=v2"
data-linked-resource-id="47743195" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2014-3623.txt.asc" data-nice-type="Text
File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502"
data-linked-resource-container-version="55">CVE-2014-3623</a>: Apache CXF does
not properly enforce the security semantics of SAML SubjectConfirmation methods
when used with the TransportBinding</li><li><a shape="rect"
href="security-advisories.data/CVE-2014-3584.txt.asc?version=1&modificationDate=1414169326000&api=v2"
data-linked-resource-id="47743194" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2014-3584.txt.asc" data-nice-type="Text
File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="
27837502" data-linked-resource-container-version="55">CVE-2014-3584</a>:
Apache CXF JAX-RS SAML handling is vulnerable to a Denial of Service (DoS)
attack</li><li><a shape="rect"
href="security-advisories.data/CVE-2014-0109.txt.asc?version=1&modificationDate=1398873370000&api=v2"
data-linked-resource-id="40895138" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2014-0109.txt.asc" data-nice-type="Text
File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502"
data-linked-resource-container-version="55">CVE-2014-0109</a>: HTML content
posted to SOAP endpoint could cause OOM errors</li><li><a shape="rect"
href="security-advisories.data/CVE-2014-0110.txt.asc?version=1&modificationDate=1398873378000&api=v2"
data-linked-resource-id="40895139" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2014-0110.txt.asc"
data-nice-type="Text File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502"
data-linked-resource-container-version="55">CVE-2014-0110</a>: Large invalid
content could cause temporary space to fill</li><li><a shape="rect"
href="security-advisories.data/CVE-2014-0034.txt.asc?version=1&modificationDate=1398873385000&api=v2"
data-linked-resource-id="40895140" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2014-0034.txt.asc" data-nice-type="Text
File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502"
data-linked-resource-container-version="55">CVE-2014-0034</a>: The
SecurityTokenService accepts certain invalid SAML Tokens as valid</li><li><a
shape="rect"
href="security-advisories.data/CVE-2014-0035.txt.asc?version=1&modificationDate=1398873391000&api=v2"
data-linked-resource-id="40895141" data-linked-resource-version="1" dat
a-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2014-0035.txt.asc" data-nice-type="Text
File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502"
data-linked-resource-container-version="55">CVE-2014-0035</a>: UsernameTokens
are sent in plaintext with a Symmetric EncryptBeforeSigning policy</li></ul><h3
id="SecurityAdvisories-2013">2013</h3><ul><li><a shape="rect"
href="security-advisories.data/CVE-2013-2160.txt.asc?version=1&modificationDate=1372324301000&api=v2"
data-linked-resource-id="33095710" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2013-2160.txt.asc" data-nice-type="Text
File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502"
data-linked-resource-container-version="55">CVE-2013-2160</a> - Denial of
Service Attacks on Apache CXF</li><li><a shape="rect"
href="cve-2012-5575.html">Note on CVE-20
12-5575</a> - XML Encryption backwards compatibility attack on Apache
CXF.</li><li><a shape="rect" href="cve-2013-0239.html">CVE-2013-0239</a> -
Authentication bypass in the case of WS-SecurityPolicy enabled plaintext
UsernameTokens.</li></ul><h3 id="SecurityAdvisories-2012">2012</h3><ul><li><a
shape="rect" href="cve-2012-5633.html">CVE-2012-5633</a> - WSS4JInInterceptor
always allows HTTP Get requests from browser.</li><li><a shape="rect"
href="note-on-cve-2011-2487.html">Note on CVE-2011-2487</a> - Bleichenbacher
attack against distributed symmetric key in WS-Security.</li><li><a
shape="rect" href="cve-2012-3451.html">CVE-2012-3451</a> - Apache CXF is
vulnerable to SOAP Action spoofing attacks on Document Literal web
services.</li><li><a shape="rect" href="cve-2012-2379.html">CVE-2012-2379</a> -
Apache CXF does not verify that elements were signed or encrypted by a
particular Supporting Token.</li><li><a shape="rect"
href="cve-2012-2378.html">CVE-2012-2378</a> - Apache CXF does no
t pick up some child policies of WS-SecurityPolicy 1.1 SupportingToken policy
assertions on the client side.</li><li><a shape="rect"
href="note-on-cve-2011-1096.html">Note on CVE-2011-1096</a> - XML Encryption
flaw / Character pattern encoding attack.</li><li><a shape="rect"
href="cve-2012-0803.html">CVE-2012-0803</a> - Apache CXF does not validate
UsernameToken policies correctly.</li></ul><h3
id="SecurityAdvisories-2010">2010</h3><ul><li><a shape="rect"
class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/security/CVE-2010-2076.pdf";>CVE-2010-2076</a>
- DTD based XML attacks.</li></ul><p><br clear="none"></p></div>
</div>
<!-- Content -->
</td>
![https://www.apache.org/events/current-event-125x125.png"](https://www.apache.org/events/current-event-125x125.png"){kind=link}