Linux Distros Unpatched Vulnerability : CVE-2026-41848

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Applications may be vulnerable to a Regular Expression Denial of Service ReDoS attack if an attacker is able to provide a pattern which is then directly or...

Linux Distros Unpatched Vulnerability : CVE-2026-41842

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Spring MVC and WebFlux applications are vulnerable to Denial of Service DoS attacks when resolving static resources. Affected versions: Spring Framework 7.0.0...

Linux Distros Unpatched Vulnerability : CVE-2026-41850

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Applications that evaluate user-supplied Spring Expression Language SpEL expressions are vulnerable to an Algorithmic Denial of Service DoS. By providing a...

PT-2026-47658

Name of the Vulnerable Software and Affected Versions Spring Framework versions 5.3.0 through 5.3.48 Description Spring WebFlux applications may be subject to a security bypass when utilizing the Kotlin Router DSL. Recommendations At the moment, there is no information about a newer version that...

Cross-site Scripting (XSS)

Overview org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform. Affected versions of this package are vulnerable to Cross-site Scripting XSS via improper...

Direct Request ('Forced Browsing')

Overview org.springframework:spring-webmvc is a package that provides Model-View-Controller MVC architecture and ready components that can be used to develop flexible and loosely coupled web applications. Affected versions of this package are vulnerable to Direct Request 'Forced Browsing' via...

CVE-2026-40969

The raw message of every server-side AuthenticationException is returned to the unauthenticated remote caller in the gRPC status description. This allows an attacker to obtain information about the authentication failure, which may be useful for further attacks. Affected versions: Spring gRPC:...

CVE-2026-40968

When an authenticated user is denied access to a gRPC method, their authenticated identity remains bound to the gRPC worker thread and can be inherited by a subsequent unauthenticated request on the same thread. This may allow the subsequent user to gain escalated permissions. Affected versions:...

Exploit for Code Injection in Vmware Spring_Framework

PoC — CVE-2022-22965 Spring4Shell Disclaimer: This re...

Exploit for Code Injection in Vmware Spring_Framework

Spring4Shell Threat Sandbox CVE-2022-22965 Overview Thi...

Unity Linux 20.1070e Security Update: springframework (UTSA-2026-016731)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-016731 advisory. In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to content disclosure in Spring MVC and WebFlux [CVE-2026-22737]

Summary IBM Watson Speech Services Cartridge is vulnerable to content disclosure in Spring MVC and WebFlux, where template views in Spring MVC and Spring WebFlux applications can result in disclosure of content from files outside the configured locations for script template views CVE-2026-22737...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to stream corruption in Spring MVC and WebFlux [CVE-2026-22735]

Summary IBM Watson Speech Services Cartridge is vulnerable to stream corruption in Spring MVC and WebFlux when using Server-Sent Events SSE CVE-2026-22735. Spring MVC and WebFlux are used in our speech microservices. This vulnerabilitiy has been addressed. Please read the details for remediation...

Spring Framework 5.3.x < 5.3.48 / 6.1.x < 6.1.27 / 6.2.x < 6.2.18 / 7.0.x < 7.0.7 Multiple DoS

The version of Spring Framework installed on the remote host is 5.3.x prior to 5.3.48, 6.1.x prior to 6.1.27, 6.2.x prior to 6.2.18, or 7.0.x prior to 7.0.7. It is, therefore, affected by multiple vulnerabilities: - A WebFlux server application that processes multipart requests creates temp files...

CVE-2026-44516

Valtimo (versions 12.4.0–12.33.0 and 13.26.0) contains a vulnerability in the web module where the LoggingRestClientCustomizer intercepts outgoing HTTP calls via Spring RestClient and logs full request/response bodies and headers. When errors occur, this data can appear in HttpClientErrorExceptio...

Spring AI: ChatMemory DEFAULT_CONVERSATION_ID causes unintended cross-user data leakage

Spring AI's chat memory component contained a problematic default that, when not explicitly overridden, could result in unintended data exposure between users...

Prompt Injection

Overview org.springframework.ai:spring-ai-advisors-vector-store is a Chat client advisors for Spring AI Affected versions of this package are vulnerable to Prompt Injection via conversation memory handling in the affected advisor. An attacker can inject crafted input in conversation memory that i...

A Bootiful Podcast: Daniel Garnier-Moiroux on his new book 'Testing Spring Boot Applications'

Hi Spring fans! In this installment I'm thrilled to have had the opportunity to sit down and talk to Daniel Garnier-Moiroux and talk about "Testing Spring Boot Applications," from Manning! testing springboot java kotlin springframework...

CVE-2026-22745

A flaw was found in Spring MVC and Spring WebFlux applications. When an application is configured to serve static resources from the file system on a Windows platform, a remote attacker can send specially crafted requests that are slow to resolve. This can keep HTTP connections in use, leading to...

This Week in Spring - May 5th, 2026

Hi, Spring fans! Welcome to another installment of This Week in Spring! It's May 5th, 2026, and I'm in Mainz, Germany, for the legendary JAX conference! It's been infinitely far too long since I've been at this amazing show, and I'm oh-so happy to be back here! Tonight, after my two talks here, I...