CVE-2025-48913CRITICAL 9.8EPSS p49.7%

CVE-2025-48913CVE-2025-48913

Description

If untrusted users are allowed to configure JMS for Apache CXF, previously they could use RMI or LDAP URLs, potentially leading to code execution capabilities. This interface is now restricted to reject those protocols, removing this possibility. Users are recommended to upgrade to versions 3.6.8, 4.0.9 or 4.1.3, which fix this issue.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.74% probability of exploitation · percentile 49.7% · 2026-06-18T12:00:27Z
Published2025-08-08
Last modified2025-11-04

Underlying weaknesses· 1

CWE-20

References

  1. https://lists.apache.org/thread/f1nv488ztc0js4g5ml2v88mzkzslyh83
  2. http://www.openwall.com/lists/oss-security/2025/08/07/2

1

TypeTargetConfidenceTier
WeaknessImproper Input Validationcwe-200%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-44930
CVE
Apache Log4j2 Remote Code Execution Vulnerability
CVE
CVE-2026-40860
CVE
CVE-2026-40466
CVE
Apache ActiveMQ Deserialization of Untrusted Data Vulnerability
CVE
CVE-2026-42588
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.