Spring Framework - Path Traversal

Spring Framework MVC applications deployed as WAR or with embedded Servlet containers that do not reject suspicious URI sequences and serve static resources with Spring resource handling contain a path traversal vulnerability, letting attackers access unauthorized files, exploit requires...

ROOT-APP-MAVEN-CVE-2025-41242 CVE-2025-41242 in io.root.org.springframework:spring-webmvc - Patched by Root

Root has patched CVE-2025-41242 in the io.root.org.springframework:spring-webmvc package for Root:Maven. Multiple fixed versions available...

Linux Distros Unpatched Vulnerability : CVE-2026-41242

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - protobufjs compiles protobuf definitions into JavaScript JS functions. In versions prior to 8.0.1 and 7.5.5, attackers can inject arbitrary code in the type...

CVE-2026-41242 vulnerabilities

Vulnerabilities for packages: renovate, langfuse, jitsucom-jitsu, pulumi, vitess, kubeflow-centraldashboard...

CVE-2026-41242 vulnerabilities

Vulnerabilities for packages: kubeflow-centraldashboard, librechat, renovate, jitsucom-jitsu, gemini-cli, langfuse, kibana, langfuse-fips, vitess, opentelemetry-auto-instrumentations-node, pulumi...

CVE-2026-41242

protobufjs compiles protobuf definitions into JavaScript JS functions. In versions prior to 8.0.1 and 7.5.5, attackers can inject arbitrary code in the "type" fields of protobuf definitions, which will then execute during object decoding using that definition. Versions 8.0.1 and 7.5.5 patch the...

CVE-2026-41242

protobufjs compiles protobuf definitions into JavaScript JS functions. In versions prior to 8.0.1 and 7.5.5, attackers can inject arbitrary code in the "type" fields of protobuf definitions, which will then execute during object decoding using that definition. Versions 8.0.1 and 7.5.5 patch the...

CVE-2026-41242

creationtimestamp| type| source ---|---|--- 2026-04-17 04:00:00+00:00| published-proof-of-concept| https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-xq3m-2v4x-88gg 2026-04-18 19:15:08+00:00| published-proof-of-concept| Telegram/x12vbbUj9eUCE8CmwEAAyNGNCB8MsPtTe6lQq2voLeHmZk...

org.webjars.npm:bazel__typescript (=1.7.0), org.webjars.npm:cesium (>=1.96.0 <=1.137.0) +8 more potentially affected by CVE-2026-41242 via org.webjars.npm:protobufjs (>=6.8.8 <=8.0.0)

org.webjars.npm:protobufjs MAVEN version =6.8.8, =1.96.0, =1.0.0, =1.0.0, =10.13.0, =4.7.0, =0.3.35, =1.7.3, =0.7.13, =0.7.15 Source cves: CVE-2026-41242 Source advisory: SNYK:JAVA-ORGWEBJARSNPM-16094666...

10minions-engine (>=0.0.1 <=0.0.4), @0xr404/lol404 (>=1.1.0 <=1.1.6) +3322 more potentially affected by CVE-2026-41242 via protobufjs (>=7.0.0 <=7.5.4)

protobufjs NPM version =7.0.0, =0.0.1, =1.1.0, =1.0.1-beta.0, =0.0.2-beta.0, =1.0.0, =1.5.10, =0.10.1, =1.1.0, =6.0.0, =2.0.2, =3.3.2 and more Source cves: CVE-2026-41242 Source advisory: SNYK:JS-PROTOBUFJS-16094665...

-temp-electron-manager-somiibo (=0.0.200), 0xpass (>=0.0.2 <=0.0.8) +22910 more potentially affected by CVE-2026-41242 via protobufjs (>=2.0.4 <=7.5.4)

protobufjs NPM version =2.0.4, =0.0.2, =0.0.1, =1.0.0, =1.0.1, =1.0.1, =1.0.0, =1.0.0, =1.0.0, =2.0.0, =1.0.0-alpha.3, =1.0.0, =0.0.1, =0.0.1, =0.1.5 and more Source cves: CVE-2026-41242 Source advisory: OSV:GHSA-XQ3M-2V4X-88GG...

2mxdev-gql-gateway (=1.0.0), 4m-node-server (>=0.0.1 <=0.0.8) +2879 more potentially affected by CVE-2026-41242 via @apollo/protobufjs (>=1.1.0 <=1.2.7)

@apollo/protobufjs NPM version =1.1.0, =0.0.1, =1.0.2, =3.10.1, =1.2.0-pre.24, =1.0.1, =1.0.0, =1.0.0, =0.5.0, =1.0.0, =0.0.1, =0.1.1, =0.0.1, =1.0.7, =1.0.17 and more Source cves: CVE-2026-41242 Source advisory: SNYK:JS-APOLLOPROTOBUFJS-16321047...

@0xchain/telemetry (>=1.1.0-beta.8 <=1.1.0-beta.18), @42zeroo/tescik (>=1.0.0 <=1.1.1963) +677 more potentially affected by CVE-2026-41242 via protobufjs (=8.0.0)

protobufjs NPM version =8.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on protobufjs and may be impacted: - @0xchain/telemetry =1.1.0-beta.8, =1.0.0, =1.1.4, =0.3.1, =0.3.1, =0.7.1, =0.7.0, =0.6.0, =0.8.0 - @adaptic/backend-legacy =0.0.941 and more...

Security Bulletin: A security vulnerability has been identified in IBM StreamSets Data Collector

Summary A security vulnerability CVE-2025-41242 has been addressed in IBM StreamSets Data Collector version 7.1.0 Vulnerability Details CVEID:CVE-2025-41242 DESCRIPTION: Spring Framework MVC applications can be vulnerable to a “Path Traversal Vulnerability” when deployed on a non-compliant Servle...

Security Bulletin: IBM Terracotta affected by Spring Framework vulnerabilities CVE-2022-22965, CVE-2022-22970, CVE-2025-41242

Summary Spring Framework vulnerabilities CVE-2022-22965, CVE-2022-22970, CVE-2025-41242 are addressed in the IBM Teracotta product Vulnerability Details CVEID:CVE-2022-22965 DESCRIPTION: A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution RCE vi...

CVE-2021-41242

OpenOlat is a web-basedlearning management system. A path traversal vulnerability exists in OpenOlat prior to versions 15.5.12 and 16.0.5. By providing a filename that contains a relative path as a parameter in some REST methods, it is possible to create directory structures and write files...

Security Bulletin: IBM Controller is vulnerable to a Path Traversal vulnerability

Summary IBM Controller has addressed a Path Traversal vulnerability present in Spring Framework MVC applications Vulnerability Details CVEID:CVE-2025-41242 DESCRIPTION: Spring Framework MVC applications can be vulnerable to a “Path Traversal Vulnerability” when deployed on a non-compliant Servlet...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a Path Traversal Vulnerability in Spring Framework [CVE-2025-41242]

Summary IBM Watson Speech Services Cartridge is vulnerable to a Path Traversal Vulnerability in Spring Framework when deployed on a non-compliant Servlet container CVE-2025-41242. Spring Framework is used as part of our java microservices. This vulnerabilitiy has been addressed. Please read the...

Security Bulletin: Path traversal vulnerability affect IBM Business Automation Workflow - CVE-2025-41242

Summary IBM Business Automation Workflow packages a vulnerable version of spring. Vulnerability Details CVEID:CVE-2025-41242 DESCRIPTION: Spring Framework MVC applications can be vulnerable to a “Path Traversal Vulnerability” when deployed on a non-compliant Servlet container. An application can ...

Security Bulletin: IBM OpenPages for Cloud Pak for Data is Vulnerable to Multiple Spring Framework Vulnerabilities (CVE-2025-41249,CVE-2025-41242)

Summary IBM OpenPages for Cloud Pak for Data is Vulnerable to Multiple Spring Framework Vulnerabilities . These vulnerabilities were remediated. Vulnerability Details CVEID:CVE-2025-41249 DESCRIPTION: The Spring Framework annotation detection mechanism may not correctly resolve annotations on...