Spring Boot: Spring Boot: Arbitrary Code Execution and Session Hijacking via predictable temporary directory

A flaw was found in Spring Boot. A local attacker on the same host as the application may be able to take control of the ApplicationTemp directory due to predictable temporary directory handling. When the server.servlet.session.persistent setting is enabled and the attack persists across...

CVE-2026-40976

A flaw was found in Spring Boot. Under specific conditions, including being a servlet-based web application without custom Spring Security configuration and relying on the default web security filter chain, a remote attacker could bypass security. This allows unauthorized access to all applicatio...

io.github.davidalmeidac:sealed-env-spring-boot-starter (>=0.1.0-alpha.1 <=0.1.0-alpha.3) potentially affected by CVE-2026-45091 via io.github.davidalmeidac:sealed-env-core (>=0.1.0-alpha.1 <=0.1.0-alpha.3)

io.github.davidalmeidac:sealed-env-core MAVEN version =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.3 Source cves: CVE-2026-45091 Source advisory: OSV:GHSA-X3R2-FJ3R-G5MV...

ai.aletyx.kogito:aletyx-kogito-ai-addons-springboot-adhoc-subprocess (>=0.1.0 <=0.2.0), ai.aletyx.kogito:aletyx-kogito-ai-addons-springboot-adhoc-subprocess-storage-jpa (>=0.1.0 <=0.2.0) +280 more potentially affected by CVE-2026-41713 via org.springframework.ai:spring-ai-client-chat (>=1.1.0-M1 <=1.1.5)

org.springframework.ai:spring-ai-client-chat MAVEN version =1.1.0-M1, =0.1.0, =0.1.0, =1.0.0, =1.0.0, =1.2.4, =1.2.4, =1.2.4, =1.2.4, =1.2.4, =1.2.4, =1.2.4, =0.6.0, =1.1.0, =1.1.0, =1.1.0, =1.1.4 and more Source cves: CVE-2026-41713 Source advisory: OSV:GHSA-5852-PHMH-8FHR...

Exploit for Improper Input Validation in Siemens 6Bk1602-0Aa12-0Tp0_Firmware

Demo Khai thác Lỗ hổng Log4Shell CVE-2021-44228 Dự án này m...

ROOT-APP-MAVEN-CVE-2026-40976 CVE-2026-40976 in io.root.org.springframework.boot:spring-boot - Patched by Root

Root has patched CVE-2026-40976 in the io.root.org.springframework.boot:spring-boot package for Root:Maven. Multiple fixed versions available...

CVE-2026-40972

A flaw was found in Spring Boot. An attacker on the same network as the remote application may be able to utilize a timing attack to discover information about a remote secret. In extreme circumstances, this could allow the attacker to determine the secret and upload changed classes, leading to...

CVE-2026-40973

A flaw was found in Spring Boot. A local attacker on the same host as the application may be able to take control of the ApplicationTemp directory due to predictable temporary directory handling. When the server.servlet.session.persistent setting is enabled and the attack persists across...

ai.aletyx.kogito:aletyx-kogito-ai-addons-springboot-adhoc-subprocess (>=0.1.0 <=0.2.0), ai.aletyx.kogito:aletyx-kogito-ai-addons-springboot-adhoc-subprocess-storage-jpa (>=0.1.0 <=0.2.0) +280 more potentially affected by CVE-2026-41713 via org.springframework.ai:spring-ai-client-chat (>=1.1.0-M1 <=1.1.5)

org.springframework.ai:spring-ai-client-chat MAVEN version =1.1.0-M1, =0.1.0, =0.1.0, =1.0.0, =1.0.0, =1.2.4, =1.2.4, =1.2.4, =1.2.4, =1.2.4, =1.2.4, =1.2.4, =0.6.0, =1.1.0, =1.1.0, =1.1.0, =1.1.4 and more Source cves: CVE-2026-41713 Source advisory: SNYK:JAVA-ORGSPRINGFRAMEWORKAI-16624614...

ai.aletyx.kogito:aletyx-kogito-ai-addons-springboot-adhoc-subprocess (>=0.1.0 <=0.2.0), ai.aletyx.kogito:aletyx-kogito-ai-addons-springboot-adhoc-subprocess-storage-jpa (>=0.1.0 <=0.2.0) +505 more potentially affected by CVE-2026-41713 via org.springframework.ai:spring-ai-model (>=1.1.0-M1 <=1.1.5)

org.springframework.ai:spring-ai-model MAVEN version =1.1.0-M1, =0.1.0, =0.1.0, =0.8.0, =0.7.0, =0.7.0, =0.8.0, =1.0.0, =1.0.0, =1.2.4, =1.2.4, =1.2.4, =1.2.4, =1.2.4, =1.2.4, =1.2.4, =1.2.6 and more Source cves: CVE-2026-41713 Source advisory: SNYK:JAVA-ORGSPRINGFRAMEWORKAI-16624613...

ai.aletyx.kogito:aletyx-kogito-ai-addons-springboot-adhoc-subprocess (>=0.1.0 <=0.2.0), ai.aletyx.kogito:aletyx-kogito-ai-addons-springboot-adhoc-subprocess-storage-jpa (>=0.1.0 <=0.2.0) +60 more potentially affected by CVE-2026-41712 via org.springframework.ai:spring-ai-openai (>=1.1.0-M1 <=1.1.5)

org.springframework.ai:spring-ai-openai MAVEN version =1.1.0-M1, =0.1.0, =0.1.0, =1.2.4, =1.2.4, =1.2.4, =1.2.4, =1.2.4, =1.2.4, =1.2.4, =0.6.0, =1.21.2, =1.1.2.1, =1.1.0.0, =1.1.2.2 and more Source cves: CVE-2026-41712 Source advisory: SNYK:JAVA-ORGSPRINGFRAMEWORKAI-16624639...

A Bootiful Podcast: Daniel Garnier-Moiroux on his new book 'Testing Spring Boot Applications'

Hi Spring fans! In this installment I'm thrilled to have had the opportunity to sit down and talk to Daniel Garnier-Moiroux and talk about "Testing Spring Boot Applications," from Manning! testing springboot java kotlin springframework...

This Week in Spring - May 5th, 2026

Hi, Spring fans! Welcome to another installment of This Week in Spring! It's May 5th, 2026, and I'm in Mainz, Germany, for the legendary JAX conference! It's been infinitely far too long since I've been at this amazing show, and I'm oh-so happy to be back here! Tonight, after my two talks here, I...

CVE-2026-40974

A flaw was found in Spring Boot's Cassandra auto-configuration. This vulnerability allows an adjacent attacker to bypass hostname verification during SSL Secure Sockets Layer connection establishment to Cassandra. This could enable a man-in-the-middle attack, potentially leading to unauthorized...

CVE-2026-40971

A flaw was found in Spring Boot. When configured to use an SSL Secure Sockets Layer bundle, Spring Boot's RabbitMQ auto-configuration does not perform hostname verification when connecting to the RabbitMQ broker. This vulnerability could allow an attacker on the same network to intercept or alter...

Linux Distros Unpatched Vulnerability : CVE-2026-40974

"The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Spring Boot's Cassandra auto-configuration does not perform hostname verification when establishing an SSL connection to Cassandra. Affected: Spring Boot...

ai.ancf.lmos:lmos-operator (>=0.5.0 <=0.6.0), ai.telosforge:kimaira-starter-dms (>=1.2.4 <=1.2.6) +5034 more potentially affected by CVE-2026-22741 via org.springframework:spring-webmvc (>=6.2.0 <=6.2.17)

org.springframework:spring-webmvc MAVEN version =6.2.0, =0.5.0, =1.2.4, =1.2.4, =1.17.0, =0.3.0, =0.0.1, =0.1.0, =0.1.0, =0.1.0, =8.6.0, =8.6.0, =8.6.0, =8.6.0, =8.6.0, =8.8.1 and more Source cves: CVE-2026-22741 Source advisory: OSV:GHSA-WG35-8JPF-2XV3...

ai.platon.pulsar:pulsar-e2e-tests (>=4.5.0 <=4.6.0), ai.platon.pulsar:pulsar-it-tests (>=4.5.0 <=4.7.4) +1788 more potentially affected by CVE-2026-22745 via org.springframework:spring-webmvc (>=7.0.0 <=7.0.6)

org.springframework:spring-webmvc MAVEN version =7.0.0, =4.5.0, =4.5.0, =4.5.0, =4.5.0, =4.5.0, =2.0.0, =2.0.0, =0.1.1, =0.2.0, =0.5.0, =0.7.0, =0.5.0, =0.5.0, =0.7.5 and more Source cves: CVE-2026-22745 Source advisory: OSV:GHSA-6P4F-WCWH-5VVM...

Arbitrary File Overwrite

org.springframework.boot, spring-boot is vulnerable to arbitrary file overwrite. The vulnerability is due to insecure handling of the PID file via ApplicationPidFileWriter, which allows a local attacker with write access to the PID file location to exploit symlink behavior and overwrite or corrup...

Improper Hostname Verification

Spring Boot is vulnerable to improper hostname verification. The vulnerability is due to missing hostname verification in SSL bundle configuration, which allows an attacker to perform man-in-the-middle attacks by impersonating the RabbitMQ broker...