Hi Recently released version of CXF (2.6.15) depends on Spring 3.0.7.RELEASE. Spring 3.0.7.RELEASE is affected by following vulnerabilities: CVE-2014-0225, CVE-2014-1904. Is also CXF affected? Or CXF uses Spring in the way, that is not affected? br Tom