- CVE-2012-2378 - Apache CXF does not pick up some child policies of WS-SecurityPolicy 1.1 SupportingToken policy assertions on the client side.
- Note on CVE-2011-1096 - XML Encryption flaw / Character pattern encoding attack.
- CVE-2012-0803 - Apache CXF does not validate UsernameToken policies correctly.
- CVE-2010-2076 - DTD based XML attacks.