These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2026-47825 is a high-severity vulnerability affecting Spring Cloud Gateway Server. The vulnerability allows for header injection attacks due to the forwarding of X-Forwarded-For and Forwarded headers from untrusted proxies in certain configuration scenarios. This affects both WebMVC and WebFlux Gateway Servers. The affected versions are Spring Cloud Gateway 3.1.x (fix 3.1.13), 4.1.x (fix 4.1.13), 4.2. [truncated]
A high-severity vulnerability (CVSS Score: 8.6) was discovered in Spring AI Vector Stores. This issue allows special characters to be used to force the execution of arbitrary queries in Elasticsearch, OpenSearch, and GemFire VectorDB. The affected components include spring-ai-elasticsearch-store, spring-ai-opensearch-store, and spring-ai-gemfire-store. This vulnerability impacts Spring AI versions 1.0.0 t [truncated]
CVE-2026-41708 is a HIGH severity vulnerability in Spring Cloud Sleuth, with a CVSS score of 7.5. The vulnerability allows a user to provide specially crafted calls that may cause a denial-of-service (DoS) condition. The application is vulnerable when it uses a vulnerable version of org.springframework.cloud:spring-cloud-sleuth-instrumentation and Spring TX instrumentation is not disabled. Affected versio [truncated]
CVE-2026-41700 is a HIGH severity vulnerability in Spring for GraphQL applications that have enabled the WebSocket transport, allowing for Cross-Site WebSocket Hijacking. An attacker can trick an authenticated user into visiting a malicious page, allowing the attacker to execute arbitrary GraphQL operations with the victim's credentials. Affected versions include Spring for GraphQL 2.0.0 through 2.0.3; 1. [truncated]
CVE-2026-41699 is a HIGH severity vulnerability in Spring for GraphQL applications, allowing for Remote Code Execution via Unsafe Deserialization when handling paginated GraphQL queries. An attacker can craft a malicious GraphQL request to exploit this vulnerability when the application exposes a paginated (Connection) field and the classpath contains specific classes that can be leveraged during deserialization.
CVE-2026-41001 is a medium severity vulnerability in Spring Boot's ArtemisEmbeddedConfigurationFactory. A local attacker can exploit this vulnerability by pre-creating a predictable directory or placing a symlink before the application starts. The vulnerability affects Spring Boot versions 4.0.0 through 4.0.6, 3.5.0 through 3.5.14, 3.4.0 through 3.4.16, 3.3.0 through 3.3.19, and 2.7.0 through 2.7.33.
CVE-2026-41000 is a vulnerability in the Wss4jSecurityInterceptor of Spring Web Services. The interceptor did not consistently wire Apache WSS4J ReplayCache instances into RequestData for validation-time checks. This could make protections against replay of UsernameToken nonces and creation timestamps, Timestamp elements, and certain SAML one-time-use semantics ineffective, even when operators configured [truncated]
CVE-2026-40999 is a high-severity vulnerability in Spring Web Services. When WS-Addressing is used with non-anonymous ReplyTo or FaultTo addresses, Spring WS may initiate outbound connections through configured WebServiceMessageSender instances to destinations taken directly from request headers without verifying that those destinations are safe to connect to. This vulnerability affects Spring Web Service [truncated]
CVE-2026-40998 is a vulnerability in Spring Web Services that allows for XML External Entity (XXE) style attacks. The Jaxp13XPathTemplate evaluated XPath expressions for StreamSource and SAXSource inputs using a code path that parsed attacker-controlled XML with the JDK's default DocumentBuilderFactory behavior instead of Spring's hardened parser configuration. This vulnerability affects Spring Web Servic [truncated]
CVE-2026-40997 is a medium-severity vulnerability in Spring Web Services that could allow remote attackers to infer account state through exception messages or callback outcomes. The vulnerability affects several Spring WS integration paths with Spring Security, potentially surfacing detailed account state, such as locked or disabled user semantics, to remote SOAP clients.
CVE-2026-40996 is a vulnerability in Spring Web Services that affects versions 5.0.0 through 5.0.1, 4.1.0 through 4.1.3, 4.0.0 through 4.0.18, and 3.1.0 through 3.1.8. The vulnerability arises from the Wss4jSecurityInterceptor's default setting of allowRSA15KeyTransportAlgorithm to true, which overrides Apache WSS4J's safer default. This allows for the acceptance of RSA PKCS#1 v1.5 (rsa-1_5) encrypted key [truncated]
CVE-2026-40995 is a vulnerability in Spring Web Services that affects versions 5.0.0 through 5.0.1, 4.1.0 through 4.1.3, 4.0.0 through 4.0.18, and 3.1.0 through 3.1.8. The vulnerability is caused by the X509AuthenticationProvider issuing a fully authenticated X509AuthenticationToken when a presented certificate maps to UserDetails, without applying Spring Security's standard account lifecycle checks. This [truncated]
CVE-2026-40994 is a HIGH severity vulnerability with a CVSS score of 8.2. The Wss4jSecurityInterceptor initialized its BSP (WS-I Basic Security Profile) compliance flag so that inbound validation disabled WSS4J BSP enforcement on RequestData. This allows services that validate WS-Security on the network to accept messages that violate BSP rules, weakening protocol-level checks. Affected versions include S [truncated]
CVE-2026-40992 is a medium-severity vulnerability in Spring Boot's Mail auto-configuration. The vulnerability has a CVSS score of 5 and CVSS severity of MEDIUM. It was published on 2026-06-11T07:16:27.177Z and modified on 2026-06-11T15:21:30.653Z. The affected versions are Spring Boot 4.0.0 through 4.0.6, 3.5.0 through 3.5.14, and 3.4.0 through 3.4.16. Applications that set the relevant JavaMail property, [truncated]
CVE-2026-40987 is a HIGH severity vulnerability with a CVSS score of 7.1. A malicious or compromised FTP/SFTP/SMB server can write arbitrary files anywhere on the client filesystem (outside the configured local-directory) with attacker-controlled content. This issue affects Spring Integration versions 7.0.0 through 7.0.4, 6.5.0 through 6.5.8, 6.4.0 through 6.4.11, 6.3.0 through 6.3.14, and 5.5.0 through 5.5.20.
A medium-severity vulnerability, CVE-2026-40986, was found in Spring Web Flow's JavaScript RemotingHandler. The issue causes the body of an error response to be rendered as HTML, even when the response is not 'text/html'. This can result in a scripting attack in the user's browser if the error response from the server contains error details with input reflected from an attacker. The affected versions are [truncated]
A vulnerability in Spring Web Flow allows malicious Unified EL expressions to be used when configuring the WebFlowELExpressionParser. This issue affects Spring Web Flow versions 4.0.0, 3.0.0 through 3.0.1, and 2.5.0 through 2.5.1.
CVE-2026-41837 is a vulnerability in Spring Data REST's Querydsl integration. The affected versions are Spring Data REST 3.7.0 through 3.7.19, 4.3.0 through 4.3.16, 4.4.0 through 4.4.14, 4.5.0 through 4.5.11, and 5.0.0 through 5.0.5. This vulnerability allows arbitrary persistent property paths as request-parameter filter keys and does not consider Jackson customizations before handing them to Querydsl. T [truncated]
CVE-2026-41732 is a HIGH severity vulnerability in Spring for Apache Pulsar, with a CVSS score of 8.1. The vulnerability arises from a prefix check in JsonPulsarHeaderMapper that matched type headers against trusted packages, implicitly trusting all subpackages of a trusted package. Furthermore, an empty trusted-packages configuration would fall back to trusting all packages instead of applying a safe def [truncated]
CVE-2026-41731 is a HIGH severity vulnerability in Spring for Apache Kafka. The JsonKafkaHeaderMapper and the deprecated DefaultKafkaHeaderMapper matched type headers against trusted packages using a prefix check. This meant that trusting any package implicitly trusted all of its subpackages. Combined with Jackson's default bean deserialization, a producer could supply crafted header values that caused th [truncated]
CVE-2026-41730 is a vulnerability in Spring Data REST that could allow exposure of sensitive information. The vulnerability has a CVSS score of 5.3 and a severity of MEDIUM. It affects Spring Data REST versions 3.7.0 through 3.7.19, 4.3.0 through 4.3.16, 4.4.0 through 4.4.14, 4.5.0 through 4.5.11, and 5.0.0 through 5.0.5.
CVE-2026-41729 is a high-severity vulnerability in Spring Data REST, allowing SpEL expression injection through map-typed properties when processing JSON Patch (application/json-patch+json) requests. The vulnerability occurs when a persistent entity exposes a Map-typed property, and the JSON Pointer path segment used as the map key is embedded directly into a SpEL expression without sanitization or valida [truncated]
CVE-2026-41728 is a HIGH severity vulnerability in Spring Data REST's JSON Patch (application/json-patch+json) implementation. The vulnerability occurs because the write-access filter is not applied to intermediate path segments when resolving a multi-segment JSON Pointer. This issue affects Spring Data REST versions 3.7.0 through 3.7.19, 4.3.0 through 4.3.16, 4.4.0 through 4.4.14, 4.5.0 through 4.5.11, a [truncated]
CVE-2026-41727 is a medium-severity vulnerability in Spring Kafka's retry topic infrastructure. A producer could send a record with a crafted retry_topic-attempts header to supply an out-of-range attempt count and cause the retry topic router to misidentify where the message was in the retry sequence. This issue affects Spring for Apache Kafka versions 4.0.0 through 4.0.5, 3.3.0 through 3.3.15, 3.2.0 thro [truncated]
CVE-2026-41726 is a MEDIUM-severity vulnerability affecting Spring for Apache Kafka. When an application opts into DelegatingDeserializer, a producer can grow the consumer's heap without bound by sending records with unique random spring.kafka.serialization.selector header values, eventually causing GC thrash and OutOfMemoryError. The affected versions are Spring for Apache Kafka 4.0.0 through 4.0.5; 3.3. [truncated]
CVE-2026-41721 is a Denial of Service (DoS) vulnerability in Spring Data Commons. The vulnerability occurs when Spring Data Web Support is enabled in conjunction with a Controller method using @ProjectedPayload. An attacker can send a specially crafted HTTP request that causes the application to allocate lots of memory, leading to a DoS condition. The affected versions are Spring Data Commons 4.0.0 throug [truncated]
A SpEL Injection vulnerability exists in Spring Data KeyValue if unsanitized user input is passed as Sort into a repository query method that delegates evaluation to the SpelPropertyComparator. This vulnerability affects multiple versions of Spring Data KeyValue and Spring Data Redis.
CVE-2026-41717 is a high-severity vulnerability in Spring Data MongoDB, allowing for SpEL (Spring Expression Language) expression injection. The issue occurs during parameter binding when a user-defined repository query method is annotated with @Query and utilizes a capture-all placeholder. This vulnerability has a CVSS score of 8.1 and is considered HIGH severity.
CVE-2026-41716 is a high-severity vulnerability in Spring Data that allows for heap exhaustion through repeated requests. The vulnerability is caused by the internal property-lookup cache in Spring Data accepting and permanently retaining attacker-supplied strings as cache keys. This can lead to heap exhaustion, potentially causing a denial-of-service (DoS) attack.
CVE-2026-41714 is a medium-severity vulnerability affecting Spring AMQP versions 2.4.0 through 2.4.17, 3.1.0 through 3.1.15, 3.2.0 through 3.2.10, and 4.0.0 through 4.0.3. The issue arises when applications configure their broker connection via `RabbitConnectionFactoryBean.setUri(
A Denial of Service (DoS) vulnerability was discovered in Spring Data Commons, which can be exploited to cause a StackOverflowException when parsing Sort parameters. This vulnerability affects multiple versions of Spring Data Commons, including 4.0.0 through 4.0.5, 3.5.0 through 3.5.11, 3.4.0 through 3.4.14, 3.3.0 through 3.3.16, 3.2.0 through 3.2.15, 3.1.0 through 3.1.14, 3.0.0 through 3.0.15, and 2.7.0 [truncated]
CVE-2026-41706 is a vulnerability in Spring Security's CookieRequestCache and CookieServerRequestCache. These components store the pre-authentication request URL in a browser cookie to redirect users to their intended destination after a successful login. However, in affected versions, the full absolute URL is stored in the cookie and used without validation as the post-login redirect target. This allows [truncated]
CVE-2026-41701 is a medium-severity vulnerability in Spring AMQP. The issue arises from predictable correlation IDs for replies in the RabbitTemplate.sendAndReceive() method with a fixed reply queue. This predictability stems from an internal simple counter. The affected versions include Spring AMQP 4.0.0 through 4.0.3, 3.2.0 through 3.2.10, 3.1.0 through 3.1.15, and 2.4.0 through 2.4.17.
CVE-2026-41697 is a vulnerability in Spring Data Relational that allows an attacker to perform boolean-based blind data inference by supplying wildcard characters. The vulnerability affects Spring Data Relational/JDBC/R2DBC versions 4.0.0 through 4.0.5, 3.5.0 through 3.5.11, 3.4.0 through 3.4.14, 3.3.0 through 3.3.16, 3.2.0 through 3.2.15, 3.1.0 through 3.1.14, 3.0.0 through 3.0.15, and 2.4.0 through 2.4.19.
CVE-2026-41696 is a vulnerability in Spring Data MongoDB that allows an attacker to break out of intended regular expression quoting by supplying a crafted string. This issue affects Spring Data MongoDB versions 5.0.0 through 5.0.5, 4.5.0 through 4.5.11, 4.4.0 through 4.4.14, 4.3.0 through 4.3.16, 4.2.0 through 4.2.15, 4.1.0 through 4.1.14, 4.0.0 through 4.0.15, and 3.4.0 through 3.4.19.
CVE-2026-41695 is a high-severity denial of service vulnerability in Spring Data Commons. Applications using affected versions may be vulnerable to resource exhaustion when attacker-controlled property path strings are passed to MappingContext property path resolution. The affected versions include Spring Data Commons 4.0.0 through 4.0.5, 3.5.0 through 3.5.11, and 3.4.0 through 3.4.14.
CVE-2026-41694 is a low-severity vulnerability in Spring Security that allows attackers to craft SAML payloads and use the Service Provider as a decryption oracle. The vulnerability affects Spring Security versions 5.7.0 through 5.7.23, 5.8.0 through 5.8.25, 6.3.0 through 6.3.16, 6.4.0 through 6.4.16, 6.5.0 through 6.5.10, and 7.0.0 through 7.0.5.
CVE-2026-41003 is a high-severity vulnerability in Spring Security, a popular Java framework for building secure web applications. An attacker able to influence values in RelyingPartyRegistration may be able to run arbitrary code on HTML forms generated by Spring Security filters. This vulnerability affects multiple versions of Spring Security, including 5.7.0 through 5.7.23, 5.8.0 through 5.8.25, 6.3.0 t [truncated]
CVE-2026-40993 is a HIGH severity vulnerability in Spring Security 7.0.0 through 7.0.5. An attacker with write permissions to the database table managed by JdbcAssertingPartyMetadataRepository (saml2_asserting_party_metadata) may be able to store malicious serialized payloads in the columns containing the collection of verification or encryption credentials (verification_credentials and encryption_credent [truncated]
CVE-2026-40991 is a vulnerability in Spring REST Docs that allows for an XXE (XML External Entity) injection attack. When using spring-restdocs-webtestclient or spring-restdocs-restassured to document a remote API accessed over HTTP, an attacker who compromises the API or tricks the user into documenting a malicious API can perform an XXE injection attack when the documentation-generating tests are next e [truncated]
CVE-2026-40988 is a HIGH severity vulnerability in Spring Security that can lead to a denial of service via an unbounded writer that inflates the compressed SAML payload into memory. The vulnerability affects Spring Security versions 5.7.0 through 5.7.23, 5.8.0 through 5.8.25, 6.3.0 through 6.3.16, 6.4.0 through 6.4.16, 6.5.0 through 6.5.10, and 7.0.0 through 7.0.5.
CVE-2026-41855 is a high-severity vulnerability affecting Spring Framework versions 7.0.0 through 7.0.7, 6.2.0 through 6.2.18, 6.1.0 through 6.1.27, and 5.3.0 through 5.3.48. The vulnerability is caused by the `MappingJackson2MessageConverter` and `JacksonJsonMessageConverter` classes in the `org.springframework.jms.support.converter` package, which allow arbitrary class instantiation in untrusted JMS env [truncated]
A medium-severity vulnerability, CVE-2026-41854, was found in Spring Framework. The issue arises from incorrect host parsing in UriComponentsBuilder, which can lead to a server-side request forgery (SSRF) attack. The affected versions are Spring Framework 7.0.0 through 7.0.7 and 6.2.0 through 6.2.18.
CVE-2026-41853 is a vulnerability in Spring MVC and WebFlux applications that allows for Multipart request smuggling attacks. The affected versions are Spring Framework 7.0.0 through 7.0.7, 6.2.0 through 6.2.18, 6.1.0 through 6.1.27, and 5.3.0 through 5.3.48. The CVSS score for this vulnerability is 5.3, with a severity rating of MEDIUM.
CVE-2026-41852 is a vulnerability in the Spring Expression Language (SpEL) evaluation logic. This vulnerability allows for arbitrary zero-argument method invocation, even within restricted or read-only contexts. This could potentially allow an attacker to invoke unintended application logic. The affected versions include Spring Framework 7.0.0 through 7.0.7, 6.2.0 through 6.2.18, 6.1.0 through 6.1.27, and [truncated]
CVE-2026-41851 is a Denial of Service (DoS) vulnerability in Spring Framework. Applications which accept user-supplied Spring Expression Language (SpEL) expressions may be vulnerable to a Denial of Service (DoS) attack if the evaluation of a SpEL expression triggers unbounded cache growth.
CVE-2026-41850 is a HIGH severity vulnerability in Spring Framework, with a CVSS score of 7.5. Applications that evaluate user-supplied Spring Expression Language (SpEL) expressions are vulnerable to an Algorithmic Denial of Service (DoS). By providing a specially crafted expression, an attacker can trigger excessive resource consumption during evaluation, leading to application degradation or unavailabil [truncated]
CVE-2026-41849 is a HIGH severity vulnerability with a CVSS score of 7.5. The vulnerability exists in the evaluation logic of the Spring Expression Language (SpEL) and can be exploited by supplying a specially crafted SpEL expression, resulting in excessive resource consumption and a Denial of Service (DoS).
CVE-2026-41848 is a Regular Expression Denial of Service (ReDoS) vulnerability in Spring Framework. Applications may be vulnerable if an attacker provides a malicious pattern to certain methods in AntPathMatcher. The affected versions are Spring Framework 7.0.0 through 7.0.7, 6.2.0 through 6.2.18, 6.1.0 through 6.1.27, and 5.3.0 through 5.3.48.
A security bypass vulnerability exists in Spring WebFlux applications when using the Kotlin Router DSL. The vulnerability affects Spring Framework versions 5.3.0 through 5.3.48.