- CVE-2019-12423: Apache CXF OpenId Connect JWK Keys service returns private/secret credentials if configured with a jwk keystore.
- CVE-2019-17573: Apache CXF Reflected XSS in the services listing page. Note that this attack exploits a feature which is not typically not
present in modern browsers, who remove dot segments before sending the
request. However, Mobile applications may be vulnerable.