HIGH | JUNE 11, 2026 | CVE-2026-41708
Description In Spring Cloud Sleuth, it is possible for a user to provide specially crafted calls that may cause a denial-of-service (DoS) condition. Specifically, an application is vulnerable when all of the following are true: the application uses a…
HIGH | JUNE 11, 2026 | CVE-2026-41862
Description Spring Statemachine's Kryo-based persistence backends (JPA, MongoDB, Redis and ZooKeeper) deserialise persisted state-machine contexts without enforcing a class allowlist (CWE-502, deserialisation of untrusted data), which can lead to remote code…
HIGH | JUNE 11, 2026 | CVE-2026-47825
Description Spring Cloud Gateway Server forwards the X-Forwarded-For and Forwarded headers from untrusted proxies in certain configuration scenarios. This affects both the WebMVC and WebFlux Gateway Servers. Affected Spring Products and Versions Spring Cloud…
MEDIUM | JUNE 10, 2026 | CVE-2026-40985
Description Applications that configure the WebFlowELExpressionParser are vulnerable to the use of malicious Unified EL expressions. Pre-conditions: The application explicitly configures the WebFlowELExpressionParser or its base class "ELExpressionParser". The…
MEDIUM | JUNE 10, 2026 | CVE-2026-40986
Description Spring Web Flow's JavaScript RemotingHandler renders the body of an error response as
HTML even when the response is not "text/html", which can result in a scripting attack
in the user's browser if the error response from the server contains error…
HIGH | JUNE 10, 2026 | CVE-2026-40987
Description A malicious or compromised FTP/SFTP/SMB server can write arbitrary files anywhere on the client filesystem (outside the configured local-directory) with attacker-controlled content. Affected Spring Products and Versions Spring Integration: 7.0.…
MEDIUM | JUNE 10, 2026 | CVE-2026-40992
Description Spring Boot's Mail auto-configuration does not enable hostname verification.
Applications that set the relevant JavaMail property, such as
spring.mail.properties.mail.smtp.ssl.checkserveridentity=true, are not affected. Affected Spring Products and…
HIGH | JUNE 10, 2026 | CVE-2026-40994
Description Wss4jSecurityInterceptor initialized its BSP (WS-I Basic Security Profile) compliance flag so that inbound validation disabled WSS4J BSP enforcement on RequestData, contradicting the intended secure default and published setter contract. Services…
MEDIUM | JUNE 10, 2026 | CVE-2026-40996
Description Wss4jSecurityInterceptor defaulted allowRSA15KeyTransportAlgorithm to true, overriding Apache WSS4J’s safer default for validation RequestData. Inbound WS-Security decryption could therefore accept RSA PKCS#1 v1.5 (rsa-1_5) encrypted key material…
MEDIUM | JUNE 10, 2026 | CVE-2026-40997
Description Several Spring WS integration paths with Spring Security could surface detailed account state (for example locked or disabled user semantics) to remote SOAP clients through exception messages or callback outcomes, instead of failing with generic…
