PatchSiren cyber security CVE debrief
CVE-2026-41719 Spring CVE debrief
A SpEL Injection vulnerability exists in Spring Data KeyValue if unsanitized user input is passed as Sort into a repository query method that delegates evaluation to the SpelPropertyComparator. This vulnerability affects multiple versions of Spring Data KeyValue and Spring Data Redis.
- Vendor
- Spring
- Product
- Spring Data KeyValue
- CVSS
- MEDIUM 6.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-10
Who should care
Users of affected Spring Data KeyValue and Spring Data Redis versions should review and apply patches or mitigations.
Technical summary
The vulnerability arises from unsanitized user input being passed as Sort into a repository query method, which delegates evaluation to the SpelPropertyComparator. Affected versions include Spring Data KeyValue / Spring Data Redis 4.0.0 through 4.0.5; 3.5.0 through 3.5.11; 3.4.0 through 3.4.14; 3.3.0 through 3.3.16; 3.2.0 through 3.2.15; 3.1.0 through 3.1.14; 3.0.0 through 3.0.15; 2.7.0 through 2.7.19.
Defensive priority
MEDIUM
Recommended defensive actions
- Apply patches or updates to affected versions of Spring Data KeyValue and Spring Data Redis.
- Validate and sanitize user input to prevent SpEL Injection attacks.
- Review repository query methods for potential vulnerabilities.
Evidence notes
The CVE-2026-41719 record indicates a MEDIUM severity vulnerability with a CVSS score of 6.4.
Official resources
-
CVE-2026-41719 CVE record
CVE.org
-
CVE-2026-41719 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-41719 was published on 2026-06-10T00:16:51.800Z and modified on 2026-06-10T19:24:04.320Z.