Moderate severityNVD Advisory· Published Jun 3, 2015· Updated May 6, 2026

CVE-2015-0264

Description

Multiple XML external entity (XXE) vulnerabilities in builder/xml/XPathBuilder.java in Apache Camel before 2.13.4 and 2.14.x before 2.14.2 allow remote attackers to read arbitrary files via an external entity in an invalid XML (1) String or (2) GenericFile object in an XPath query.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.apache.camel:camel-coreMaven	< 2.13.4	2.13.4
org.apache.camel:camel-coreMaven	>= 2.14.0, < 2.14.2	2.14.2

Affected products

Apache/Camel3 versions
cpe:2.3:a:apache:camel:*:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:a:apache:camel:*:*:*:*:*:*:*:*range: <=2.13.3
- cpe:2.3:a:apache:camel:2.14.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:camel:2.14.1:*:*:*:*:*:*:*

Patches

7360aada5154

https://github.com/apache/camelvia ghsa

commit

b47b51a195b3

https://github.com/apache/camelvia ghsa

commit

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.002
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000