PatchSiren cyber security CVE debrief
CVE-2026-41849 Spring CVE debrief
CVE-2026-41849 is a HIGH severity vulnerability with a CVSS score of 7.5. The vulnerability exists in the evaluation logic of the Spring Expression Language (SpEL) and can be exploited by supplying a specially crafted SpEL expression, resulting in excessive resource consumption and a Denial of Service (DoS).
- Vendor
- Spring
- Product
- Spring Framework
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-09
- Original CVE updated
- 2026-06-09
- Advisory published
- 2026-06-09
- Advisory updated
- 2026-06-09
Who should care
Users of Spring Framework 5.3.0 through 5.3.48 should be aware of this vulnerability and take steps to mitigate it.
Technical summary
An integer overflow vulnerability exists in the evaluation logic of the Spring Expression Language (SpEL). An attacker can exploit this by supplying a specially crafted SpEL expression that triggers excessive resource consumption, resulting in a Denial of Service (DoS).
Defensive priority
HIGH
Recommended defensive actions
- Upgrade to Spring Framework 5.3.49 or later.
- Implement proper input validation and sanitization for SpEL expressions.
- Monitor and limit resource consumption by SpEL expressions.
Evidence notes
The CVE-2026-41849 vulnerability was published on 2026-06-09T05:16:37.060Z and modified on 2026-06-09T20:36:29.947Z. The vulnerability affects Spring Framework 5.3.0 through 5.3.48.
Official resources
-
CVE-2026-41849 CVE record
CVE.org
-
CVE-2026-41849 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
CVE-2026-41849 was published on 2026-06-09T05:16:37.060Z and modified on 2026-06-09T20:36:29.947Z.