CVE-2026-40972

An attacker on the same network as the remote application may be able to utilize a timing attack to discover information about the remote secret. In extreme circumstances this could result in the attacker determining the secret and uploading changed classes, thereby achieving remote code executio...

CVE-2026-40974

Spring Boot's Cassandra auto-configuration does not perform hostname verification when establishing an SSL connection to Cassandra. Affected: Spring Boot 4.0.0–4.0.5 fix 4.0.6, 3.5.0–3.5.13 fix 3.5.14, 3.4.0–3.4.15 fix 3.4.16, 3.3.0–3.3.18 fix 3.3.19, 2.7.0–2.7.32 fix 2.7.33; Cassandra SSL...

CVE-2026-40976

In certain circumstances, Spring Boot's default web security is ineffective allowing unauthorized access to all endpoints. For an application to be vulnerable, it must: be a servlet-based web application; have no Spring Security configuration of its own and rely on the default web security filter...

CVE-2026-40977

When an application is configured to use ApplicationPidFileWriter, a local attacker with write access to the PID file's location can corrupt one file on the host each time the application is started. Affected: Spring Boot 4.0.0–4.0.5 fix 4.0.6, 3.5.0–3.5.13 fix 3.5.14, 3.4.0–3.4.15 fix 3.4.16,...

CVE-2026-40975

Values produced by $random.value are not suitable for use as secrets. $random.uuid is not affected. $random.int and $random.long should never be used for secrets as they are numeric values with a predictable range. Affected: Spring Boot 4.0.0–4.0.5 fix 4.0.6, 3.5.0–3.5.13 fix 3.5.14, 3.4.0–3.4.15...

VMware Spring Boot 安全漏洞

VMware Spring Boot is an open-source framework developed by the American company VMware. Versions of VMware Spring Boot 4.0.0 to 4.0.5 have security vulnerabilities. These vulnerabilities stem from the default web security being ineffective, which may allow unauthorized access to all endpoints...

VMware Spring Boot 安全漏洞

VMware Spring Boot is an open-source framework developed by the American company VMware. There are security vulnerabilities in versions 4.0.0 to 4.0.5, 3.5.0 to 3.5.13, 3.4.0 to 3.4.15, 3.3.0 to 3.3.18, and 2.7.0 to 2.7.32 of VMware Spring Boot. These vulnerabilities stem from a timing attack in...

VMware Spring Boot 安全特征问题漏洞

VMware Spring Boot is an open-source framework developed by the American company VMware. There are security vulnerabilities in versions 4.0.0 to 4.0.5, 3.5.0 to 3.5.13, 3.4.0 to 3.4.15, 3.3.0 to 3.3.18, and 2.7.0 to 2.7.32 of VMware Spring Boot. These vulnerabilities stem from the use of random...

io.crossplane.compositefunctions:crossplane-function-example (>=1.20-alpha <=2.0.5), io.crossplane.compositefunctions:crossplane-function-springboot-starter (>=1.20-alpha <=2.0.5) +19 more potentially affected by CVE-2026-40969 via org.springframework.grpc:spring-grpc-core (>=1.0.0-RC1 <=1.0.2)

org.springframework.grpc:spring-grpc-core MAVEN version =1.0.0-RC1, =1.20-alpha, =1.20-alpha, =2026.01, =0.8.0, =6.0.0, =6.0.0, =6.0.0, =6.0.0, =6.0.0, =6.0.0, =6.0.0, =6.0.0, =1.0.0, =1.0.0, =1.0.2 - org.springframew...

VMware Spring Boot 后置链接漏洞

VMware Spring Boot is an open-source framework developed by the American company VMware. Vulnerabilities exist in versions 4.0.0 to 4.0.5, 3.5.0 to 3.5.13, 3.4.0 to 3.4.15, 3.3.0 to 3.3.18, and 2.7.0 to 2.7.32 of VMware Spring Boot. These vulnerabilities stem from issues with PID files and symbol...

VMware Spring Boot 信任管理问题漏洞

VMware Spring Boot is an open-source framework developed by the American company VMware. There are security vulnerabilities in versions 4.0.0 to 4.0.5, 3.5.0 to 3.5.13, 3.4.0 to 3.4.15, 3.3.0 to 3.3.18, and 2.7.0 to 2.7.32 of VMware Spring Boot. These vulnerabilities stem from the lack of hostnam...

VMware Spring Boot 安全漏洞

VMware Spring Boot is an open-source framework developed by the American company VMware. There are security vulnerabilities in versions 4.0.0 to 4.0.5, 3.5.0 to 3.5.13, 3.4.0 to 3.4.15, 3.3.0 to 3.3.18, and 2.7.0 to 2.7.32 of VMware Spring Boot. These vulnerabilities stem from predictable tempora...

This Week in Spring - April 28th, 2026

Hi Spring fans! Welcome to another installment of This Week in Spring! As I write this, I'm on PTO in beautiful Santorini, Greece, catching up on some news and about to cruise the islands for some sightseeing. There's nothing quite like springtime in the Mediterranean! I couldn't dream of enjoyin...

Fedora 44 : util-linux (2026-67cf3d6cca)

The remote Fedora 44 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-67cf3d6cca advisory. upstream update, fixes security-related bugs CVE-2026-27456 - mount8 TOCTOU symlink attack via loop device. The SUID mount follows symlinks when resolving lo...

Linux Distros Unpatched Vulnerability : CVE-2026-31481

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In the Linux kernel, the following vulnerability has been resolved: tracing: Drain deferred trigger frees if kthread creation fails Boot-time trigger registrati...

CVE-2026-40977

When an application is configured to use ApplicationPidFileWriter, a local attacker with write access to the PID file's location can corrupt one file on the host each time the application is started. Affected: Spring Boot 4.0.0–4.0.5 fix 4.0.6, 3.5.0–3.5.13 fix 3.5.14, 3.4.0–3.4.15 fix 3.4.16,...

CVE-2026-40977

When an application is configured to use ApplicationPidFileWriter, a local attacker with write access to the PID file's location can corrupt one file on the host each time the application is started. Affected: Spring Boot 4.0.0–4.0.5 fix 4.0.6, 3.5.0–3.5.13 fix 3.5.14, 3.4.0–3.4.15 fix 3.4.16,...

EUVD-2026-25941

When an application is configured to use ApplicationPidFileWriter, a local attacker with write access to the PID file's location can corrupt one file on the host each time the application is started. Affected: Spring Boot 4.0.0–4.0.5 fix 4.0.6, 3.5.0–3.5.13 fix 3.5.14, 3.4.0–3.4.15 fix 3.4.16,...

CVE-2026-40976

In certain circumstances, Spring Boot's default web security is ineffective allowing unauthorized access to all endpoints. For an application to be vulnerable, it must: be a servlet-based web application; have no Spring Security configuration of its own and rely on the default web security filter...

CVE-2026-40976

In certain circumstances, Spring Boot's default web security is ineffective allowing unauthorized access to all endpoints. For an application to be vulnerable, it must: be a servlet-based web application; have no Spring Security configuration of its own and rely on the default web security filter...