PatchSiren cyber security CVE debrief
CVE-2026-41721 Spring CVE debrief
CVE-2026-41721 is a Denial of Service (DoS) vulnerability in Spring Data Commons. The vulnerability occurs when Spring Data Web Support is enabled in conjunction with a Controller method using @ProjectedPayload. An attacker can send a specially crafted HTTP request that causes the application to allocate lots of memory, leading to a DoS condition. The affected versions are Spring Data Commons 4.0.0 through 4.0.5; 3.5.0 through 3.5.11; 3.4.0 through 3.4.14; 3.3.0 through 3.3.16; 3.2.0 through 3.2.15; 3.1.0 through 3.1.14; 3.0.0 through 3.0.15; 2.7.0 through 2.7.19.
- Vendor
- Spring
- Product
- Spring Data Commons
- CVSS
- MEDIUM 5.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-10
Who should care
Users of Spring Data Commons, particularly those using Spring Data Web Support with Controller methods using @ProjectedPayload.
Technical summary
The vulnerability has a CVSS score of 5.9 and a severity of MEDIUM. It can be exploited by sending a specially crafted HTTP request to the application.
Defensive priority
MEDIUM
Recommended defensive actions
- Update to a non-vulnerable version of Spring Data Commons.
- Disable Spring Data Web Support if not needed.
- Use a Web Application Firewall (WAF) to detect and prevent malicious requests.
Evidence notes
The CVE record was published on 2026-06-10T00:16:51.917Z and last modified on 2026-06-10T19:24:04.320Z.
Official resources
-
CVE-2026-41721 CVE record
CVE.org
-
CVE-2026-41721 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-41721 was published on 2026-06-10T00:16:51.917Z.