XPathFactory appears vulnerable to vulnerable to XXE and XEE.
OpenJDK-8 upstream commit: https://github.com/openjdk/jdk8u/commit/dde48aedce2fe649e1737b3eec829428381bcb8f OpenJDK-11 upstream commit: https://github.com/openjdk/jdk11u/commit/2c7f45612d11199a9d5eaa6d61a2893ec4afa687 OpenJDK-17 upstream commit: https://github.com/openjdk/jdk17u/commit/770db9328cc5ad574bd61a2e42f1a4c5601c0405 OpenJDK-21 upstream commit: https://github.com/openjdk/jdk21u/commit/bb9edcc4a43362aaa49a7b8621291c461f483e24
This CVE was fixed in Oracle Java SE 8u471, 11.0.29, 17.0.17, 21.0.9, 25.0.1. https://www.oracle.com/java/technologies/javase/8u471-relnotes.html#R180_471 https://www.oracle.com/java/technologies/javase/11-0-29-relnotes.html#R11_0_29 https://www.oracle.com/java/technologies/javase/17-0-17-relnotes.html#R17_0_17 https://www.oracle.com/java/technologies/javase/21-0-9-relnotes.html https://www.oracle.com/java/technologies/javase/25-0-1-relnotes.html