A vulnerability identified as problematic has been detected in Apache CXF up to 4.1.6/4.2.1 . Impacted is the function W3CMultiSchemaFactory/EndpointReferenceUtils . The manipulation leads to xml external entity reference. This vulnerability is listed as CVE-2026-49875 . The attack may be initiated remotely. There is no available exploit. You should upgrade the affected component.