HIGH | JUNE 08, 2026 | CVE-2026-40983
Description In Micrometer, it is possible for a user to provide specially crafted gRPC requests that may cause a denial-of-service (DoS) condition. Specifically, an application is vulnerable when all of the following are true: the application uses a vulnerable…
HIGH | JUNE 08, 2026 | CVE-2026-40984
Description In Micrometer, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Specifically, an application is vulnerable when all of the following are true: the application uses a vulnerable…
MEDIUM | JUNE 08, 2026 | CVE-2026-41710
Description An attacker can craft a large number of unique requests that trigger a failure, exhausting the capacity of the application-wide stateful retry cache.
Once the cache is full, it permanently rejects any further updates, causing all later stateful…
MEDIUM | JUNE 08, 2026 | CVE-2026-41838
Description IDs for WebSocket sessions in the spring-websocket module are not cryptographically
unpredictable, which may be possible to exploit in combination with inadequate
authorization rules. Affected Spring Products and Versions Spring Framework: 7.0.…
LOW | JUNE 08, 2026 | CVE-2026-41839
Description A WebFlux application with a compromised subdomain (for example, compromised via
cross-site scripting (XSS)) is vulnerable to an escalation attack exchanging a known
session ID for that of an authenticated user. Affected Spring Products and…
HIGH | JUNE 08, 2026 | CVE-2026-41720
Description Spring LDAP's DirContextAuthenticationStrategy implementations do not reject a bind request where a non-empty username is paired with an empty or null password. RFC 4513 Section 5.1.2 defines this as an unauthenticated bind. On LDAP servers that…
MEDIUM | JUNE 08, 2026 | CVE-2026-41840
Description Spring WebFlux applications are vulnerable to Denial of Service (DoS) attacks when
processing multipart requests. More precisely, an application can be vulnerable when all the following are true: The application uses Spring WebFlux. The application…
MEDIUM | JUNE 08, 2026 | CVE-2026-41841
Description Spring MVC and WebFlux applications are vulnerable to Information Disclosure attacks when
resolving static resources. More precisely, an application can be vulnerable when all the following are true: The application uses Spring MVC or Spring…
HIGH | JUNE 08, 2026 | CVE-2026-41842
Description Spring MVC and WebFlux applications are vulnerable to Denial of Service (DoS) attacks
when resolving static resources. More precisely, an application can be vulnerable when all the following are true: The application uses Spring MVC or Spring…
MEDIUM | JUNE 08, 2026 | CVE-2026-41844
Description A Spring MVC or Spring WebFlux application which configures a mapping for "/**" where
the view name is not explicitly specified allows an attacker to craft a link resulting in
a 302 redirect to an arbitrary external host via the redirect: prefix…
