CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

OSV•added 2026/06/09 5:16 a.m.•5 views

UBUNTU-CVE-2026-41844

A Spring MVC or Spring WebFlux application which configures a mapping for "/" where the view name is not explicitly specified allows an attacker to craft a link resulting in a 302 redirect to an arbitrary external host via the redirect: prefix. Affected versions: Spring Framework 7.0.0 through...

6.1CVSS5.6AI score0.00134EPSS

OSV•added 2026/06/09 5:16 a.m.•6 views

UBUNTU-CVE-2026-41847

Spring WebFlux applications may be vulnerable to a security bypass when using the Kotlin Router DSL. Affected versions: Spring Framework 5.3.0 through 5.3.48...

5.3CVSS5.4AI score0.00157EPSS

OSV•added 2026/06/09 5:16 a.m.•7 views

UBUNTU-CVE-2026-41845

Due to incorrect escaping, the use of JavaScriptUtils.javaScriptEscape may lead to JavaScript code injection in the browser, potentially resulting in a cross-site scripting XSS vulnerability. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3....

7.1CVSS5.3AI score0.00161EPSS

EUVD•added 2026/06/09 3:51 a.m.•6 views

EUVD-2026-35344

In an untrusted JMS environment, org.springframework.jms.support.converter.MappingJackson2MessageConverter and org.springframework.jms.support.converter.JacksonJsonMessageConverter allow arbitrary class instantiation, which can lead to unauthorized actions via gadget class deserialization. Affect...

8.1CVSS5.6AI score0.00257EPSS

Cvelist•added 2026/06/09 3:51 a.m.•33 views

CVE-2026-41855 Spring Framework Unsafe Deserialization via Jackson JMS Converters

8.1CVSS0.00257EPSS

Vulnrichment•added 2026/06/09 3:51 a.m.•8 views

CVE-2026-41855 Spring Framework Unsafe Deserialization via Jackson JMS Converters

8.1CVSS5.6AI score0.00257EPSS

CVE•added 2026/06/09 3:51 a.m.•75 views

CVE-2026-41855

The CVE affects Spring Framework via unsafe deserialization in JMS converters: MappingJackson2MessageConverter and JacksonJsonMessageConverter allow arbitrary class instantiation in untrusted JMS environments, enabling gadget-based deserialization that could trigger unauthorized actions. Affected...

8.1CVSS5.6AI score0.00257EPSS

EUVD•added 2026/06/09 3:51 a.m.•8 views

EUVD-2026-35343

Due to incorrect host parsing, applications that rely on UriComponentsBuilder to parse and validate an externally provided URL string may be exposed to a server-side request forgery SSRF attack. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18...

4.2CVSS5.5AI score0.00123EPSS

Cvelist•added 2026/06/09 3:51 a.m.•31 views

CVE-2026-41854 Spring Framework Server-Side Request Forgery via UriComponentsBuilder

4.2CVSS0.00123EPSS

Vulnrichment•added 2026/06/09 3:51 a.m.•8 views

CVE-2026-41854 Spring Framework Server-Side Request Forgery via UriComponentsBuilder

4.2CVSS5.5AI score0.00123EPSS

Cvelist•added 2026/06/09 3:51 a.m.•36 views

CVE-2026-41853 Spring Framework Multipart Request Smuggling in Spring MVC and WebFlux

Spring MVC and WebFlux applications are vulnerable to Multipart request smuggling attacks. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48...

5.3CVSS0.00186EPSS

EUVD•added 2026/06/09 3:51 a.m.•11 views

EUVD-2026-35342

CVE•added 2026/06/09 3:51 a.m.•62 views

CVE-2026-41853

CVE-2026-41853 concerns Multipart request smuggling in Spring Framework’s Spring MVC and WebFlux components. Affected are Spring Framework versions: 7.0.0–7.0.7; 6.2.0–6.2.18; 6.1.0–6.1.27; 5.3.0–5.3.48. The CVE entry identifies the issue as a vulnerability in multipart handling, with an accompan...

Exploits0References1Affected Software1

Vulnrichment•added 2026/06/09 3:51 a.m.•7 views

CVE-2026-41853 Spring Framework Multipart Request Smuggling in Spring MVC and WebFlux

Debian CVE•added 2026/06/09 3:51 a.m.•4 views

CVE-2026-41853

Vulnrichment•added 2026/06/09 3:51 a.m.•8 views

Exploits0

CVE-2026-41852 Spring Framework Arbitrary Method Invocation in SpEL Expressions

A vulnerability in Spring Expression Language SpEL evaluation logic allows for arbitrary zero-argument method invocation, even within restricted or read-only contexts, which may allow an attacker to invoke unintended application logic. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2....

3.7CVSS5.6AI score0.00155EPSS

Cvelist•added 2026/06/09 3:51 a.m.•38 views

CVE-2026-41852 Spring Framework Arbitrary Method Invocation in SpEL Expressions

3.7CVSS0.00155EPSS

CVE•added 2026/06/09 3:51 a.m.•27 views

CVE-2026-41852

The CVE affects Spring Framework via SpEL evaluation allowing arbitrary zero-argument method invocation in restricted/read-only contexts across multiple versions (7.0.0–7.0.7; 6.2.0–6.2.18; 6.1.0–6.1.27; 5.3.0–5.3.48). Root cause is the SpEL evaluation logic, enabling invocation of unintended app...

5.3CVSS5.6AI score0.00155EPSS

Exploits0References1Affected Software1

Vulnrichment•added 2026/06/09 3:51 a.m.•5 views

CVE-2026-41851 Spring Framework Denial of Service via Unbounded Cache in SpEL

Applications which accept user-supplied Spring Expression Language SpEL expressions may be vulnerable to a Denial of Service DoS attack if the evaluation of a SpEL expression triggers unbounded cache growth. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0...

5.3CVSS5.4AI score0.00359EPSS