Exploit for Code Injection in Vmware Spring_Framework

No d...

Security Bulletin: IBM OpenPages for Cloud Pak for Data is Vulnerable to Multiple Spring Framework Vulnerabilities (CVE-2016-1000027,CVE-2024-22243,CVE-2024-22259,CVE-2024-38809,CVE-2024-22262,CVE-2024-38820,CVE-2024-38828)

Summary Spring MVC controller vulnerable to potential remote code execution RCE , DoS attack and DataBinder Case Sensitive Match Exception. Applications that use UriComponentsBuilder to parse an externally provided URL may be vulnerable to a open redirect...

This Week in Spring - February 3rd, 2026

Hi, Spring fans! This week I'm in northern Europe. I went on the Vaadin cruise from Finland to Sweden, gave a talk on a boat, then arrived in Stockholm in time for the amazing JFokus 2026 event where I had the privilege yesterday of doing a deep dive with my pal James Ward on Spring AI and agenti...

Security Bulletin: IBM OpenPages for Cloud Pak for Data is Vulnerable to Multiple Spring Framework Vulnerabilities (CVE-2024-38820,CVE-2025-22233)

Summary Spring MVC controller vulnerable to a DoS attack and DataBinder Case Sensitive Match Exception. These vulnerabilities were remediated. Vulnerability Details CVEID:CVE-2024-38820 DESCRIPTION: The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However,...

Spring AI Agentic Patterns (Part 5): Building Interoperable Agents with the Agent2Agent (A2A) Protocol

The Agent2Agent A2A Protocol is an open standard for seamless AI agent communication. It enables agents to discover capabilities, exchange messages, and coordinate workflows across platforms—regardless of their implementation. Spring AI A2A integrates the A2A Java SDK with Spring AI through Sprin...

Anthropic Agent Skills Support in Spring AI

In this blog, we show how using Spring AI, we can integrate with Anthropic's Native Skills API for Cloud-Based Document Generation and Custom Skills. Spring AI adds support for Anthropic's Agent Skills — modular capabilities that let Claude generate actual files rather than text descriptions. Wit...

Security Bulletin: Multiple vulnerabilities that affect IBM Db2 Data management console

Summary IBM Db2 Data management console has several dependent packages with vulnerabilities. This bulletin describes the upgrades necessary to address the vulnerabilities. Vulnerability Details CVEID:CVE-2025-48924 DESCRIPTION: Uncontrolled Recursion vulnerability in Apache Commons Lang. This iss...

com.foxinmy:easemob4j (>=1.1.0 <=1.1.3), com.foxinmy:umeng4j (>=1.1.0 <=1.1.3) +13 more potentially affected by CVE-2026-24819 via com.foxinmy:weixin4j-base (>=1.0 <=1.9.1)

com.foxinmy:weixin4j-base MAVEN version =1.0, =1.1.0, =1.1.0, =1.9.0, =1.4, =1.0, =1.9.0, =1.4, =1.0, =1.8.0, =1.0.9-RELEASE, =0.0.2, =0.0.3 - org.oxerr:spring-security-wechat-samples-helloworld =0.0.1 Source cves: CVE-2026-24819 Source advisory: SNYK:JAVA-COMFOXINMY-15128702...

Spring Framework DoS (CVE-2024-38808, CVE-2024-38809 and CVE-2024-22262)

The Spring Framework vulnerabilities identified are located within open source components utilized by Brocade SANnav, however none of these vulnerabilities are in the executable code path. As a part of good security practice, the open source component was updated in the Brocade SANnav 3.0.0...

This Week in Spring - January 26th, 2026

Hi, Spring fans! Welcome to another installment of This Week in Spring! As I write this, I cannot believe we're nearly at the end of the month! Time sure flies. Spring AI 2.0.0-M2 is available now Spring Modulith 2.1 M1, 2.0.2, and 1.4.7 released In last week's installment of A Bootiful Podcast ,...

xss-protector

Lucy XSS Filter for Spring Boot 네이버 Lucy XSS Filter를 사용한 강력...

Oracle Business Intelligence Publisher (January 2026 CPU)

The 7.6.0.0.0 and 8.2.0.0.0 versions of Oracle Business Intelligence Publisher installed on the remote host are affected by a vulnerability as referenced in the January 2026 CPU advisory. - Security-in-Depth issue in the Oracle BI Publisher product of Oracle Analytics component: Development...

be.personify.iam:personify-frontend (>=1.5.4.RELEASE <=1.5.7.RELEASE), ch.admin.bit.jeap:jeap-archrepo-instance (>=1.12.0 <=1.14.0) +1374 more potentially affected by CVE-2025-22234 via org.springframework.security:spring-security-core (=6.4.4)

org.springframework.security:spring-security-core MAVEN version =6.4.4 is affected by a known vulnerability. The following packages have a transitive dependency on org.springframework.security:spring-security-core and may be impacted: - be.personify.iam:personify-frontend =1.5.4.RELEASE, =1.12.0,...

GHSA-VQXH-445G-37FC Spring Security has a broken timing attack mitigation implemented in DaoAuthenticationProvide

The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow attackers to infer valid usernames or other authentication behavior via response-time differences under certain configurations...

com.almis.awe:awe-annotation (>=4.10.11 <=4.11.2), com.almis.awe:awe-annotations-spring-boot-starter (>=4.10.11 <=4.11.2) +107 more potentially affected by CVE-2025-22234 via org.springframework.security:spring-security-core (=6.3.8)

org.springframework.security:spring-security-core MAVEN version =6.3.8 is affected by a known vulnerability. The following packages have a transitive dependency on org.springframework.security:spring-security-core and may be impacted: - com.almis.awe:awe-annotation =4.10.11, =4.10.11, =4.10.11,...

Spring Security has a broken timing attack mitigation implemented in DaoAuthenticationProvide

The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow attackers to infer valid usernames or other authentication behavior via response-time differences under certain configurations...

CVE-2025-22234 Spring Security - BCrypt Password Encoder maximum password length breaks timing attack mitigation

The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow attackers to infer valid usernames or other authentication behavior via response-time differences under certain configurations...

CVE-2025-22234 Spring Security - BCrypt Password Encoder maximum password length breaks timing attack mitigation

The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow attackers to infer valid usernames or other authentication behavior via response-time differences under certain configurations...

Exploit for Out-of-bounds Read in Libpng

Spring Boot Minimal Images PoC Dummy Spring Boot application...

CVE-2026-1225 Malicious logback.xml configuration file allows instantiation of arbitrary classes

ACE vulnerability in configuration file processing by QOS.CH logback-core up to and including version 1.5.24 in Java applications, allows an attacker to instantiate classes already present on the class path by compromising an existing logback configuration file. The instantiation of a potentially...