This Week in Spring - February 24th, 2026

Hi, Spring fans! Welcome to another awesome and oh-so-agentic week in Spring! We've got a ton to look into, and I've got even more to prepare for next week's DevNexus event in Atlanta, GA, so let's dive right into it! Be sure to say "hi" if you're going to be there, though! You've heard of Agent...

org.apache.camel.karaf:camel-leveldb (>=4.10.3 <=4.10.7), org.apache.camel.karaf:camel-leveldb-test (>=4.10.3 <=4.10.7) +4 more potentially affected by CVE-2026-25747 via org.apache.camel:camel-leveldb (>=3.0.0 <=4.10.8)

org.apache.camel:camel-leveldb MAVEN version =3.0.0, =4.10.3, =4.10.3, =1.2.0, =1.2.0, =1.2.0, =3.0.0, =4.10.8 Source cves: CVE-2026-25747 Source advisory: OSV:GHSA-429Q-MRC4-38FR...

org.apache.camel.karaf:camel-leveldb (>=4.10.3 <=4.10.7), org.apache.camel.karaf:camel-leveldb-test (>=4.10.3 <=4.10.7) +4 more potentially affected by CVE-2026-25747 via org.apache.camel:camel-leveldb (>=3.0.0 <=4.10.8)

org.apache.camel:camel-leveldb MAVEN version =3.0.0, =4.10.3, =4.10.3, =1.2.0, =1.2.0, =1.2.0, =3.0.0, =4.10.8 Source cves: CVE-2026-25747 Source advisory: SNYK:JAVA-ORGAPACHECAMEL-15353482...

forest 代码注入漏洞

Forest is a modern knowledge community backend project developed by RYMCU. It is implemented using SpringBoot, Shiro, MyBatis, JWT, and Redis. Versions of Forest 0.0.5 and earlier have a code injection vulnerability. This vulnerability stems from incorrect operations in the updateUserInfo functio...

Exploit for Code Injection in Vmware Spring_Framework

ДЗ 10 — Python для аналитиков ИБ: эксплойты Описание уязви...

CVE-2026-2818

A zip-slip path traversal vulnerability in Spring Data Geode's import snapshot functionality allows attackers to write files outside the intended extraction directory. This vulnerability appears to be susceptible on Windows OS only...

CVE-2026-2818

A zip-slip path traversal vulnerability in Spring Data Geode's import snapshot functionality allows attackers to write files outside the intended extraction directory. This vulnerability appears to be susceptible on Windows OS only...

com.netflix.ndbench:ndbench-cli (>=0.3.12 <=0.7.4), com.netflix.ndbench:ndbench-geode-plugins (>=0.3.5 <=0.7.4) +35 more potentially affected by CVE-2026-2818 via org.springframework.data:spring-data-geode (>=1.0.0.INCUBATING-RELEASE <=2.7.5)

org.springframework.data:spring-data-geode MAVEN version =1.0.0.INCUBATING-RELEASE, =0.3.12, =0.3.5, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =2.0.0.RELEASE, =2.0.0.RELEASE, =2.0.0.RELEASE, =2.0.0.RELEASE, =2.0.0.RELEASE, =2.0.0.RELEASE, =2.0.0.RELEASE, =2.0.0.RELEASE, =3.0.0, =3.2.1...

CVE-2026-2818 Zip Slip Path Traversal in Snapshot Archive Extraction (Windows-Specific)

A zip-slip path traversal vulnerability in Spring Data Geode's import snapshot functionality allows attackers to write files outside the intended extraction directory. This vulnerability appears to be susceptible on Windows OS only...

CVE-2026-2818 Zip Slip Path Traversal in Snapshot Archive Extraction (Windows-Specific)

A zip-slip path traversal vulnerability in Spring Data Geode's import snapshot functionality allows attackers to write files outside the intended extraction directory. This vulnerability appears to be susceptible on Windows OS only...

CVE-2026-2818

CVE-2026-2818 describes a zip-slip path traversal in Spring Data Geode’s import snapshot functionality, affecting Windows environments. The issue allows writing files outside the intended extraction directory during snapshot extraction, with impact described as confidentiality: Low , integrity: H...

Spring Data Geode 安全漏洞

Spring Data Geode is a software developed by Spring for configuring, operating, and accessing distributed data management systems. There is a security vulnerability in Spring Data Geode, which stems from a Zip Slip path traversal vulnerability in the import snapshot function. This vulnerability...

warehouse 访问控制错误漏洞

Warehouse is a small-scale warehouse logistics management system developed by Yeqifu’s individual developer, based on Spring Boot. There is an access control vulnerability in Warehouse. This vulnerability stems from improper access control issues in the addSales, updateSales, and deleteSales...

warehouse 访问控制错误漏洞

Warehouse is a small-scale warehouse logistics management system developed by Yeqifu’s individual developer, based on Spring Boot. There is an access control vulnerability in Warehouse. This vulnerability stems from improper access control issues in the functions addCustomer, updateCustomer, and...

PT-2026-21245

A zip-slip path traversal vulnerability in Spring Data Geode's import snapshot functionality allows attackers to write files outside the intended extraction directory. This vulnerability appears to be susceptible on Windows OS only...

warehouse 访问控制错误漏洞

Warehouse is a small-scale warehouse logistics management system developed by Yeqifu’s individual developer, based on Spring Boot. There is an access control vulnerability in Warehouse. This vulnerability stems from improper access control issues in the addInport/, updateInport/, and deleteInport...

Atlassian Confluence 7.19.x < 9.2.14 / 9.2.15 / 9.3.x < 10.2.3 / 10.2.6 (CONFSERVER-102132)

The version of Atlassian Confluence Server running on the remote host is affected by a vulnerability as referenced in the CONFSERVER-102132 advisory. - The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized...

CVE-2026-2817

Use of insecure directory in Spring Data Geode snapshot import extracts archives into predictable, permissive directories under the system temp location. On shared hosts, a local user with basic privileges can access another user’s extracted snapshot contents, leading to unintended exposure of...

Creation of Temporary File in Directory with Insecure Permissions

Overview Affected versions of this package are vulnerable to Creation of Temporary File in Directory with Insecure Permissions due to the use of an insecure temporary directory during snapshot import operations. An attacker can access sensitive information by reading files from the temporary...

com.netflix.ndbench:ndbench-cli (>=0.3.12 <=0.7.4), com.netflix.ndbench:ndbench-geode-plugins (>=0.3.5 <=0.7.4) +35 more potentially affected by CVE-2026-2817 via org.springframework.data:spring-data-geode (>=1.0.0.INCUBATING-RELEASE <=2.7.5)

org.springframework.data:spring-data-geode MAVEN version =1.0.0.INCUBATING-RELEASE, =0.3.12, =0.3.5, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =2.0.0.RELEASE, =2.0.0.RELEASE, =2.0.0.RELEASE, =2.0.0.RELEASE, =2.0.0.RELEASE, =2.0.0.RELEASE, =2.0.0.RELEASE, =2.0.0.RELEASE, =3.0.0, =3.2.1...