CVE-2026-50633

CVE Database · CVE-2026-50633

CVE-2026-50633

· HIGHAnalyzed

CVSS v3.1

8.1

EPSS

0.66%

Published

Jun 12, 2026

Modified

Jun 12, 2026

Public PoC / Exploit

All weaponized →

No public PoC or exploit code indexed for this CVE.

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

A JNDI Injection vulnerability has been discovered in Apache CXF's JCA integration module, which can allow for code execution, if an attacker is able to manipulate the JCA deployment descriptor (ra.xml) or runtime activation parameters. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Weaknesses (CWE)

CWE-20

Affected Products (2)

apache · cxf (up to 4.1.7)vulnerable

apache · cxf (up to 4.2.2)vulnerable

References (2)

https://lists.apache.org/thread/1czhgovkgzdkyp3t61wthn0foogh2grf

Vendor Advisory

http://www.openwall.com/lists/oss-security/2026/06/11/10

Mailing ListThird Party Advisory

KEV Catalog EPSS Scores Vendors All CVEs