CVE-2026-41850

🗓️ 09 Jun 2026 03:51:22Reported by vmwareType

Spring Framework faces algorithmic DoS from user provided Spring Expression Language expressions causing resource exhaustion.

Reporter	Title	Published	Views	Family All 8
Circl	CVE-2026-41850	9 Jun 202607:01	–	circl
Cvelist	CVE-2026-41850 Spring Framework Algorithmic Denial of Service via SpEL Expressions	9 Jun 202603:51	–	cvelist
Debian CVE	CVE-2026-41850	9 Jun 202603:51	–	debiancve
EUVD	EUVD-2026-35338	9 Jun 202603:51	–	euvd
NVD	CVE-2026-41850	9 Jun 202605:16	–	nvd
OSV	DEBIAN-CVE-2026-41850	9 Jun 202605:16	–	osv
Positive Technologies	PT-2026-47661	9 Jun 202600:00	–	ptsecurity
Vulnrichment	CVE-2026-41850 Spring Framework Algorithmic Denial of Service via SpEL Expressions	9 Jun 202603:51	–	vulnrichment

[
  {
    "vendor": "Spring",
    "product": "Spring Framework",
    "defaultStatus": "unaffected",
    "versions": [
      {
        "status": "affected",
        "version": "7.0.0",
        "lessThan": "7.0.8",
        "versionType": "custom"
      },
      {
        "status": "affected",
        "version": "6.2.0",
        "lessThan": "6.2.19",
        "versionType": "custom"
      },
      {
        "status": "affected",
        "version": "6.1.0",
        "lessThan": "6.1.28",
        "versionType": "custom"
      },
      {
        "status": "affected",
        "version": "5.3.0",
        "lessThan": "5.3.49",
        "versionType": "custom"
      }
    ]
  }
]

Source	Link
spring	www.spring.io/security/cve-2026-41850

09 Jun 2026 13:49Current

5.5Medium risk

Vulners AI Score5.5

CVSS 3.17.5

SSVC

CWE-407