XXE Flaws in GeoServer WFS and Apache CXF Expose Servers to SSRF and Data Leakage
GeoServer and Apache CXF disclosed separate XML External Entity vulnerabilities that could let attackers abuse unsafe XML parsing to access sensitive resources. In GeoServer, CVE-2025-30220 affects the Web Feature Service (WFS) through the GeoTools library, where in-memory XSD schema processing does not enforce GeoServer’s ENTITY_RESOLUTION_ALLOWLIST restriction. The flaw can enable information disclosure and server-side request forgery (SSRF) via malicious XML containing external entities or DTDs, with affected GeoServer versions including 2.27.0, 2.26.0 through 2.26.2, and versions up to 2.25.6.
Apache also disclosed CVE-2026-44618, an important-severity XXE flaw in the WS-Transfer functionality of Apache CXF caused by an insecure XML parser configuration. Affected versions include org.apache.cxf:cxf-rt-ws-transfer 4.2.0 before 4.2.1, 4.0.0 before 4.1.6, and all 3.6.x releases before 3.6.11. Vendors urged organizations to upgrade to fixed releases immediately; where GeoServer patching is delayed, defenders were advised to restrict access to WFS endpoints and monitor for suspicious XML requests and outbound activity consistent with SSRF attempts.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Apache discloses CVE-2026-44618 in CXF WS-Transfer
Apache disclosed CVE-2026-44618, an important-severity XXE vulnerability in Apache CXF's WS-Transfer functionality caused by insecure XML parser configuration. Affected versions include 4.2.0 before 4.2.1, 4.0.0 before 4.1.6, and all 3.6.x versions before 3.6.11, with upgrades recommended to the fixed releases.
Kudelski details affected GeoServer versions and mitigation guidance
Kudelski Security published technical analysis of CVE-2025-30220, identifying affected GeoServer versions including 2.27.0, 2.26.0 through 2.26.2, and versions up to 2.25.6. It advised immediate upgrades, restricting access to WFS endpoints if patching is delayed, and monitoring for suspicious XML and SSRF-related activity.
GeoServer publishes advisory for CVE-2025-30220 XXE flaw
GeoServer disclosed CVE-2025-30220, a high-severity XML External Entity vulnerability in its Web Feature Service caused by GeoTools schema processing bypassing the ENTITY_RESOLUTION_ALLOWLIST restriction. The issue can enable information disclosure and SSRF via malicious XML payloads using external entities or DTDs.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
oss-sec: CVE-2026-44618: Apache CXF: XXE vulnerability in WS-Transfer functionality
seclists.org
Open sourceXML External Entity (XXE) Processing Vulnerability in GeoServer WFS Service - Kudelski Security Research Center
kudelskisecurity.com
Open sourceXML External Entity (XXE) Processing Vulnerability in GeoServer WFS Service · Advisory · geoserver/geoserver · GitHub
github.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
GeoServer CVE-2025-58360 Added to CISA KEV Due to Active Exploitation
CISA has added CVE-2025-58360, a critical XML External Entity (XXE) vulnerability in OSGeo GeoServer, to its Known Exploited Vulnerabilities (KEV) catalog following evidence of active exploitation. This vulnerability affects the Web Map Service (WMS) GetMap operation, allowing unauthenticated attackers to exploit improperly restricted XML entity references, potentially leading to file disclosure, server-side request forgery (SSRF), and denial-of-service conditions. The flaw impacts multiple 2.25.x and 2.26.x versions of GeoServer, with patches available in later releases such as 2.25.6 and 2.26.2/2.26.3, and has been integrated into public exploit tools and security scanners, increasing the risk of widespread exploitation. CISA’s inclusion of this vulnerability in the KEV catalog mandates federal agencies to remediate affected systems within a set timeframe, underscoring the urgency for all organizations to prioritize patching or isolating vulnerable GeoServer instances. The vulnerability is particularly concerning due to GeoServer’s role in managing geospatial data for critical infrastructure, government, and enterprise GIS deployments, making exploitation a significant risk for data exposure and internal network compromise. CISA strongly recommends that all organizations, not just federal agencies, address this vulnerability as part of their vulnerability management practices to mitigate the threat of active cyberattacks.
Mar 21, 2026
Apache CXF Patches LDAP Injection, XXE, and Incomplete-Fix RCE Flaws
The Apache Software Foundation released security updates for **Apache CXF** to fix three newly disclosed vulnerabilities affecting enterprise deployments of the services framework. The flaws include **`CVE-2026-44930`**, an LDAP injection issue in the XKMS LDAP certificate repository that can let attackers manipulate backend search filters and retrieve arbitrary digital certificates, potentially enabling impersonation, interception of encrypted communications, and lateral movement. Apache also addressed an **XXE** flaw in WS-Transfer caused by insecure XML parser configuration, which could expose sensitive files and support internal network mapping, as well as a possible **remote code execution** condition tied to an incomplete fix for an older JMS-related bug. Affected releases include **4.2.0**, **4.0.0 through 4.1.5**, and older branches before **3.6.11**. Apache published patched versions **4.2.1**, **4.1.6**, and **3.6.11**, and guidance urges organizations to upgrade immediately, review LDAP access controls, monitor certificate access activity, and reduce exposure of XKMS components where possible. The disclosures indicate that while the LDAP flaw does not itself provide code execution, the combined set of weaknesses could materially affect trust infrastructure and server security in vulnerable environments.
May 26, 2026
Critical XXE Vulnerability in Apache Struts 2 (CVE-2025-68493)
A critical XML External Entity (XXE) injection vulnerability, tracked as CVE-2025-68493, has been identified in the XWork component of Apache Struts 2. This flaw allows attackers to exploit improper XML input validation, potentially leading to sensitive data disclosure, server-side request forgery (SSRF), and denial-of-service (DoS) attacks. The vulnerability affects a wide range of Struts 2 versions, including 2.0.0–2.3.37, 2.5.0–2.5.33, and 6.0.0–6.1.0, exposing millions of applications to risk. Security researchers at ZAST.AI reported the issue, and Apache has rated the vulnerability as 'Important' due to its significant impact on data confidentiality and system availability. Organizations using affected versions are strongly advised to upgrade to Struts 6.1.1, which addresses the vulnerability. The issue is remotely exploitable and has been assigned a CVSS 3.1 score of 8.1 (High). Immediate patching is recommended to prevent exploitation, as attackers can leverage this flaw to extract configuration files, database credentials, and other sensitive information from vulnerable servers. The vulnerability has been confirmed by both independent security researchers and the Apache security team.
Mar 21, 2026