CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

EUVD•added 12 hours ago•5 views

EUVD-2026-35903

When an application opts into DelegatingDeserializer, a producer can grow the consumer's heap without bound by sending records with unique random spring.kafka.serialization.selector header values, eventually causing GC thrash and OutOfMemoryError. Affected versions: Spring for Apache Kafka 4.0.0...

6.5CVSS5.5AI score

NVD•added 12 hours ago•5 views

CVE-2026-41731

8.1CVSS

NVD•added 12 hours ago•3 views

CVE-2026-41727

Spring Kafka's retry topic infrastructure did not sufficiently validate user-controlled header values before acting on them. A producer could send a record with a crafted retrytopic-attempts header to supply an out-of-range attempt count and cause the retry topic router to misidentify where the...

NVD•added 12 hours ago•3 views

CVE-2026-41726

Cvelist•added yesterday•6 views

CVE-2026-41731 In Spring for Apache Kafka, overly broad trusted-package matching in header mappers exposes JDK classes to deserialization

8.1CVSS

CVE•added yesterday•8 views

CVE-2026-41731

Spring for Apache Kafka vulnerable due to overly broad trusted-package matching in JsonKafkaHeaderMapper and deprecated DefaultKafkaHeaderMapper: they compare type headers against trusted packages with a prefix check, causing any trusted package to implicitly trust all subpackages. When combined ...

8.1CVSS5.6AI score

Cvelist•added yesterday•3 views

CVE-2026-41727 In Spring for Apache Kafka, forged retry topic headers subvert retry routing and backoff behavior

CVE•added yesterday•8 views

CVE-2026-41726

In Spring for Apache Kafka, CVE-2026-41726 arises when an application uses the DelegatingDeserializer and an attacker can send records with unique, random spring.kafka.serialization.selector header values. This can cause the consumer’s heap to grow without bound, leading to garbage-collection thr...

6.5CVSS5.5AI score

Cvelist•added yesterday•6 views

CVE-2026-41726 In Spring for Apache Kafka, unbounded delegate cache keyed on user-controlled, potentially malicious selector header

Positive Technologies•added yesterday•6 views

PT-2026-48323

Spring Kafka's retry topic infrastructure did not sufficiently validate user-controlled header values before acting on them. A producer could send a record with a crafted retry topic-attempts header to supply an out-of-range attempt count and cause the retry topic router to misidentify where the...

6.5CVSS5.5AI score

Positive Technologies•added yesterday•4 views

PT-2026-48322

6.5CVSS5.4AI score

Spring Engineering•added 2025/10/14 12:0 a.m.•4 views

Introducing Share Consumer Support (Kafka Queues) in Spring for Apache Kafka

Continuing our Road to GA series, this week we're exploring Share Groups in Apache Kafka 4.0.0 and their integration in Spring for Apache Kafka 4.0.0 - a feature that fundamentally expands how we can consume messages from Kafka topics. When we first start working with Kafka, the mental model is...

6.8AI score

vulnersOsv•added 2025/03/13 5:47 a.m.•2 views

ai.superstream:kafka-clients (>=3.0.1 <=3.6.1-alpha1), ai.superstream:spring-kafka (>=2.8.4-alpha1 <=3.0.1-alpha1) +1819 more potentially affected by CVE-2020-36843 via net.i2p.crypto:eddsa (>=0.1.0 <=0.3.0)

net.i2p.crypto:eddsa MAVEN version =0.1.0, =3.0.1, =2.8.4-alpha1, =0.0.1-alpha1, =0.0.6, =2.1.2, =2.1.2, =2.2, =1.1.0-dev-3, =1.10.0, =1.10.0, =1.15.0, =1.10.0, =1.10.0, =1.10.0, =1.10.0, =1.23.0 and more Source cves: CVE-2020-36843 Source advisory: SNYK:JAVA-NETI2PCRYPTO-9402849...

4.3CVSS6.4AI score0.00028EPSS

Spring Engineering•added 2025/02/25 12:0 a.m.•7 views

This Week in Spring - February 25th, 2025

Hi, Spring fans, and welcome to another rip-roarin' installment of This Week in Spring! Later today I'll board a plane for magnificent Montreal, Canada for the amazing Confoo conference! I'm super excited! Good news everybody! Spring Boot 3.5.0-M2 is now available! In last week's installment of t...

7.2AI score

GithubExploit•added 2023/09/28 11:18 a.m.•332 views

Exploit for Deserialization of Untrusted Data in Vmware Spring_For_Apache_Kafka

CVE-2023-34040 Spring Kafka Deserialization Remote Code Execut...

7.8CVSS8AI score0.21413EPSS

Exploits2

BDU FSTEC•added 2023/09/07 12:0 a.m.•1 views

The vulnerability of the Spring-based Apache Kafka software platform (spring-kafka) is related to deficiencies in the deserialization mechanism. This allows attackers to execute arbitrary code or trigger service failures.

The vulnerability of the Spring-based software platform for Apache Kafka spring-kafka is related to deficiencies in the deserialization mechanism. Exploiting this vulnerability could allow an attacker to execute arbitrary code or cause service failures...

7.8CVSS7.8AI score0.21413EPSS

Exploits2References5Affected Software1

Veracode•added 2023/08/29 8:56 a.m.•188 views

Deserialization Of Untrusted Data

org.springframework.kafka, spring-kafka is vulnerable to Deserialization Of Untrusted Data. The vulnerability is caused by not setting ErrorHandlingDeserializer when checkDeserExWhenKeyNull or checkDeserExWhenValueNull container properties are set to true. An attacker can construct a malicious...

7.8CVSS6.8AI score0.21413EPSS

Exploits2References3Affected Software1

Spring Engineering•added 2023/08/29 12:0 a.m.•12 views

This Week in Spring - August 29th, 2023 - the post SpringOne recovery blog

Hi, Spring fans! Welcome to another installment of This Week in Spring! I'm exhausted. Seriously. Last week was mental. If you need me, I'll be over sipping on a tea... But, before that, there's a ton of things to cover from this last week, as always, and there's no rest for the curious, so let's...

6.7AI score