PatchSiren cyber security CVE debrief
CVE-2026-41843 Spring CVE debrief
CVE-2026-41843 is a Path Traversal vulnerability affecting Spring MVC and WebFlux applications when resolving static resources. The affected versions are Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; and 5.3.0 through 5.3.48. The CVSS score for this vulnerability is 5.9, with a severity rating of MEDIUM.
- Vendor
- Spring
- Product
- Spring Framework
- CVSS
- MEDIUM 5.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-09
- Original CVE updated
- 2026-06-09
- Advisory published
- 2026-06-09
- Advisory updated
- 2026-06-09
Who should care
Developers and administrators using Spring MVC and WebFlux applications, particularly those with publicly accessible static resources, should be aware of this vulnerability.
Technical summary
The vulnerability arises from improper handling of static resource resolution in Spring MVC and WebFlux applications, allowing attackers to perform Path Traversal attacks.
Defensive priority
MEDIUM
Recommended defensive actions
- Update to a non-vulnerable version of Spring Framework: 7.0.8 or later, 6.2.19 or later, 6.1.28 or later, or 5.3.49 or later.
- Implement proper input validation and sanitization for static resource requests.
- Review and restrict access to static resources, if necessary.
Evidence notes
The CVE-2026-41843 record was published on [cve-org](https://www.cve.org/CVERecord?id=CVE-2026-41843). Details can also be found on [nvd](https://nvd.nist.gov/vuln/detail/CVE-2026-41843).
Official resources
-
CVE-2026-41843 CVE record
CVE.org
-
CVE-2026-41843 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
CVE-2026-41843 was published on 2026-06-09T05:16:36.320Z and modified on 2026-06-09T20:37:05.070Z.