A vulnerability marked as problematic has been reported in Apache CXF up to 3.6.10/4.1.5/4.2.0 . This impacts an unknown function of the component WS-Transfer Module . Performing a manipulation results in xml external entity reference. This vulnerability is reported as CVE-2026-44618 . The attack is possible to be carried out remotely. No exploit exists. It is suggested to upgrade the affected component.