ROOT-APP-MAVEN-CVE-2026-40972 CVE-2026-40972 in io.root.org.springframework.boot:spring-boot-devtools - Patched by Root

Root has patched CVE-2026-40972 in the io.root.org.springframework.boot:spring-boot-devtools package for Root:Maven. Multiple fixed versions available...

ai.hyacinth.framework:core-service-admin-server (=0.5.24), ai.hyacinth.framework:core-service-config-server (=0.5.24) +849 more potentially affected by CVE-2026-40972 via org.springframework.boot:spring-boot-devtools (>=1.3.0.RELEASE <=2.7.3)

org.springframework.boot:spring-boot-devtools MAVEN version =1.3.0.RELEASE, =Finchley.SR2.SR1, =Finchley.SR4, =Finchley.SR2.SR1, =Finchley.SR2.SR1, =Finchley.SR4, =1.0.0, =0.0.2, =0.0.3, =1.0.0, =1.0.5 - br.com.m4rc310:br-com-m4rc310-graphql =1.0.1 and more Source cves: CVE-2026-40972 Source...

Spring Boot DevTools remote secret comparison is vulnerable to timing attacks

An attacker on the same network as the remote application may be able to utilize a timing attack to discover information about the remote secret. In extreme circumstances this could result in the attacker determining the secret and uploading changed classes, thereby achieving remote code executio...

io.github.dbmdz.cudami:cudami (>=10.0.0 <=10.2.0-rc.3), io.github.gregor-poloczek.project-maintainer:project-maintainer-ui (>=0.13.0 <=0.20.0) +9 more potentially affected by CVE-2026-40972 via org.springframework.boot:spring-boot-devtools (>=3.5.0 <=3.5.11)

org.springframework.boot:spring-boot-devtools MAVEN version =3.5.0, =10.0.0, =0.13.0, =3.2.0, =4.1.1 Source cves: CVE-2026-40972 Source advisory: OSV:GHSA-56V8-86GJ-66JP...

com.okta.spring.examples:okta-spring-boot-hosted-code-flow-example (=3.0.7), com.okta.spring.examples:okta-spring-boot-redirect-code-flow-example (=3.0.7) +21 more potentially affected by CVE-2026-40972 via org.springframework.boot:spring-boot-devtools (>=3.3.0 <=3.3.1)

org.springframework.boot:spring-boot-devtools MAVEN version =3.3.0, =1.6.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.1 - org.bremersee:common-exception-spring-boot-autoconfigure =1.1.0 - org.bremersee:common-exception-spring-boot-web-starter =1.1.0 -...

com.jayxu:demo (>=0.10.0 <=0.11.0), com.okta.spring.examples:okta-spring-boot-hosted-code-flow-example (>=3.0.9 <=3.1.0) +8 more potentially affected by CVE-2026-40972 via org.springframework.boot:spring-boot-devtools (>=4.0.1 <=4.0.3)

org.springframework.boot:spring-boot-devtools MAVEN version =4.0.1, =0.10.0, =3.0.9, =3.0.9, =3.0.9, =3.0.9, =2.0.0, =2.1.1 - de.tschuehly:spring-view-component-thymeleaf =0.9.1 - io.stereov.singularity:core =1.10.6 - org.flowable:flowable-app-rest =8.0.0 - se.swedenconnect.bankid:bankid-idp =1.3...

br.com.m4rc310:br-com-m4rc310-core-graphql (>=1.0.2 <=1.0.18), br.com.m4rc310:br-com-m4rc310-core-gtim (>=1.0.4 <=1.0.18) +119 more potentially affected by CVE-2026-40972 via org.springframework.boot:spring-boot-devtools (>=3.0.0 <=3.5.11)

org.springframework.boot:spring-boot-devtools MAVEN version =3.0.0, =1.0.2, =1.0.4, =1.0.2, =1.0.16, =1.0.2, =1.0.4, =1.0.2, =1.0.18, =1.0.2, =1.0.2, =1.0.11, =0.0.11, =3.0.0, =4.0.0, =4.0.0-M1 and more Source cves: CVE-2026-40972 Source advisory: SNYK:JAVA-ORGSPRINGFRAMEWORKBOOT-16191381...

MAL-2022-6269 Malicious code in spring-boot-devtools (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 24c0313226e487a37c9158c78bc620c0306eb778d0aa789677c0c77811785295 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in spring-boot-devtools (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 24c0313226e487a37c9158c78bc620c0306eb778d0aa789677c0c77811785295 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...