PatchSiren cyber security CVE debrief
CVE-2026-41848 Spring CVE debrief
CVE-2026-41848 is a Regular Expression Denial of Service (ReDoS) vulnerability in Spring Framework. Applications may be vulnerable if an attacker provides a malicious pattern to certain methods in AntPathMatcher. The affected versions are Spring Framework 7.0.0 through 7.0.7, 6.2.0 through 6.2.18, 6.1.0 through 6.1.27, and 5.3.0 through 5.3.48.
- Vendor
- Spring
- Product
- Spring Framework
- CVSS
- LOW 3.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-09
- Original CVE updated
- 2026-06-11
- Advisory published
- 2026-06-09
- Advisory updated
- 2026-06-11
Who should care
Users of Spring Framework versions 7.0.0 through 7.0.7, 6.2.0 through 6.2.18, 6.1.0 through 6.1.27, and 5.3.0 through 5.3.48 should apply patches or mitigations.
Technical summary
The vulnerability exists in the AntPathMatcher class, specifically in the match, matchStart, and extractUriTemplateVariables methods. An attacker can exploit this by providing a specially crafted pattern that causes a denial of service.
Defensive priority
Low
Recommended defensive actions
- Apply patches or updates to Spring Framework versions 7.0.8, 6.2.19, 6.1.28, or 5.3.49.
- Use a different path matching strategy if possible.
- Limit the input length and complexity of patterns.
Evidence notes
The CVE-2026-41848 record and NVD detail provide information on the vulnerability and affected versions.
Official resources
-
CVE-2026-41848 CVE record
CVE.org
-
CVE-2026-41848 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
CVE-2026-41848 was published on [2026-06-09T05:16:36.940Z]. The CVE was modified on [2026-06-11T15:45:59.177Z].