PatchSiren cyber security CVE debrief
CVE-2026-40987 Spring CVE debrief
CVE-2026-40987 is a HIGH severity vulnerability with a CVSS score of 7.1. A malicious or compromised FTP/SFTP/SMB server can write arbitrary files anywhere on the client filesystem (outside the configured local-directory) with attacker-controlled content. This issue affects Spring Integration versions 7.0.0 through 7.0.4, 6.5.0 through 6.5.8, 6.4.0 through 6.4.11, 6.3.0 through 6.3.14, and 5.5.0 through 5.5.20.
- Vendor
- Spring
- Product
- Spring Integration
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-11
- Original CVE updated
- 2026-06-11
- Advisory published
- 2026-06-11
- Advisory updated
- 2026-06-11
Who should care
Users of affected Spring Integration versions should review and apply patches or mitigations.
Technical summary
The vulnerability allows an attacker to write arbitrary files on the client filesystem outside the configured local directory, potentially leading to code execution or data tampering.
Defensive priority
HIGH
Recommended defensive actions
- Apply patches or updates for affected Spring Integration versions.
- Review and restrict access to FTP/SFTP/SMB servers.
- Monitor for suspicious file system changes.
Evidence notes
Evidence suggests that the vendor is likely Spring, based on the reference to spring.io.
Official resources
-
CVE-2026-40987 CVE record
CVE.org
-
CVE-2026-40987 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-40987 was published on 2026-06-11T07:16:27.053Z and modified on 2026-06-11T15:21:30.653Z.