HIGH | JUNE 08, 2026 | CVE-2026-41842
Spring MVC and WebFlux applications are vulnerable to Denial of Service (DoS) attacks
when resolving static resources. More precisely, an application can be vulnerable when all the following are true: The application uses Spring MVC or Spring…
MEDIUM | JUNE 08, 2026 | CVE-2026-41843
Spring MVC and WebFlux applications are vulnerable to Path Traversal attacks when
resolving static resources. More precisely, an application can be vulnerable when all the following are true: The application uses Spring MVC or Spring WebFlux. The…
MEDIUM | JUNE 08, 2026 | CVE-2026-41841
Spring MVC and WebFlux applications are vulnerable to Information Disclosure attacks when
resolving static resources. More precisely, an application can be vulnerable when all the following are true: The application uses Spring MVC or Spring…
MEDIUM | JUNE 08, 2026 | CVE-2026-41846
Spring MVC applications which accept user-supplied values in the cssClass,
cssErrorClass, or cssStyle attributes of JSP tags allow arbitrary
HTML/JavaScript code injection, potentially resulting in a cross-site scripting (XSS…
MEDIUM | JUNE 08, 2026 | CVE-2026-41844
A Spring MVC or Spring WebFlux application which configures a mapping for "/**" where
the view name is not explicitly specified allows an attacker to craft a link resulting in
a 302 redirect to an arbitrary external host via the redirect: prefix…
MEDIUM | JUNE 08, 2026 | CVE-2026-41847
Spring WebFlux applications may be vulnerable to a security bypass when using the Kotlin
Router DSL. More precisely, an application can be vulnerable when all the following are true: The application uses Spring WebFlux. The application uses the…
LOW | JUNE 08, 2026 | CVE-2026-41848
Applications may be vulnerable to a Regular Expression Denial of Service (ReDoS) attack
if an attacker is able to provide a pattern which is then directly or indirectly
supplied to one of the following methods in AntPathMatcher: match(String…
HIGH | JUNE 08, 2026 | CVE-2026-41849
An integer overflow vulnerability exists in the evaluation logic of the Spring Expression
Language (SpEL). An attacker can exploit this by supplying a specially crafted SpEL
expression that triggers excessive resource consumption, resulting in a…
HIGH | JUNE 08, 2026 | CVE-2026-41845
Due to incorrect escaping, the use of JavaScriptUtils.javaScriptEscape() may lead to
JavaScript code injection in the browser, potentially resulting in a cross-site scripting
(XSS) vulnerability. Affected Spring Products and Versions Spring…
HIGH | JUNE 08, 2026 | CVE-2026-41850
Applications that evaluate user-supplied Spring Expression Language (SpEL) expressions
are vulnerable to an Algorithmic Denial of Service (DoS). By providing a specially
crafted expression, an attacker can trigger excessive resource consumption…
