MEDIUM | JUNE 09, 2026 | CVE-2026-41730
Spring Data REST serializes the full exception cause chain into HTTP error response bodies, potentially exposing persistence-layer internals to HTTP clients. Affected applications are those that expose a Spring Data REST repository backed by a…
HIGH | JUNE 09, 2026 | CVE-2026-41716
Spring Data's internal property-lookup cache accepts and permanently retains attacker-supplied strings as cache keys, allowing heap exhaustion through repeated requests. Affected applications are those using Spring Data features that forward HTTP…
HIGH | JUNE 09, 2026 | CVE-2026-41728
Spring Data REST's JSON Patch (application/json-patch+json) implementation does not apply the write-access filter to intermediate path segments when resolving a multi-segment JSON Pointer. Affected applications are those whose domain model includes…
MEDIUM | JUNE 09, 2026 | CVE-2026-41837
Spring Data REST's Querydsl integration accepts arbitrary persistent property paths as request-parameter filter keys and does not consider Jackson customizations before handing them to Querydsl. Affected Spring Products and Versions Spring Data…
MEDIUM | JUNE 09, 2026 | CVE-2026-40991
When using spring-restdocs-webtestclient or spring-restdocs-restassured to document
a remote API accessed over HTTP, an attacker who compromises the API or tricks the user
into documenting a malicious API can perform an XXE injection attack when…
HIGH | JUNE 08, 2026 | CVE-2026-41720
Spring LDAP's DirContextAuthenticationStrategy implementations do not reject a bind request where a non-empty username is paired with an empty or null password. RFC 4513 Section 5.1.2 defines this as an unauthenticated bind. On LDAP servers that…
MEDIUM | JUNE 08, 2026 | CVE-2026-41710
An attacker can craft a large number of unique requests that trigger a failure, exhausting the capacity of the application-wide stateful retry cache.
Once the cache is full, it permanently rejects any further updates, causing all later stateful…
MEDIUM | JUNE 08, 2026 | CVE-2026-41838
IDs for WebSocket sessions in the spring-websocket module are not cryptographically
unpredictable, which may be possible to exploit in combination with inadequate
authorization rules. Affected Spring Products and Versions Spring Framework: 7.0.…
LOW | JUNE 08, 2026 | CVE-2026-41839
A WebFlux application with a compromised subdomain (for example, compromised via
cross-site scripting (XSS)) is vulnerable to an escalation attack exchanging a known
session ID for that of an authenticated user. Affected Spring Products and…
MEDIUM | JUNE 08, 2026 | CVE-2026-41841
Spring MVC and WebFlux applications are vulnerable to Information Disclosure attacks when
resolving static resources. More precisely, an application can be vulnerable when all the following are true: The application uses Spring MVC or Spring…
