Important: Red Hat Security Advisory: Red Hat Build of Apache Camel 4.10.7 for Spring Boot release.

Red Hat build of Apache Camel 4.10.7 for Spring Boot patch release and security update is now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is...

Introducing Share Consumer Support (Kafka Queues) in Spring for Apache Kafka

Continuing our Road to GA series, this week we're exploring Share Groups in Apache Kafka 4.0.0 and their integration in Spring for Apache Kafka 4.0.0 - a feature that fundamentally expands how we can consume messages from Kafka topics. When we first start working with Kafka, the mental model is...

This Week in Spring - October 14th, 2025

Hi, Spring fans! Welcome to another installment of This Week in Spring! I'm in Boston and New York city and Bulgaria and Poland this week, but I'm still hyped about last week's amazing Devoxx Belgium event! There are a ton of videos to look at, and I'll include just some of them here. So, without...

Spring Session Hazelcast: Now Led by Hazelcast Team

It gives me great pleasure to announce that the Spring Session Hazelcast project will now be led by the Hazelcast Team. NOTE: This announcement is in alignment with our announcement Spring Session MongoDB: Now Led by MongoDB Team. For ten years Spring Session has provided the infrastructure for...

Spring Session MongoDB: Now Led by MongoDB Team

It gives me great pleasure to announce that the Spring Session MongoDB project will now be led by the MongoDB Team. NOTE: This announcement is in alignment with our announcement Spring Session Hazelcast: Now Led by Hazelcast Team. For ten years Spring Session has provided the infrastructure for...

CVE-2025-52634 HCL AION is susceptible to Spring Boot Actuator Endpoints Exposed

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in HCL AION This issue affects HCL AION: 2.0...

CVE-2025-52634

HCL AION (AI lifecycle platform) 2.0 is affected by CVE-2025-52634, described as an information disclosure vulnerability enabling unauthorized access. Multiple sources (NVD, RHACVE, CNVD, CNNVD, CVE lists, PT-2025-41539) corroborate that sensitive information can be exposed to an unauthenticated ...

CVE-2025-52634 HCL AION is susceptible to Spring Boot Actuator Endpoints Exposed

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in HCL AION This issue affects HCL AION: 2.0...

Remote Code Execution

org.springframework.cloud, spring-cloud-gateway-server is vulnerable to Remote Code Execution. The vulnerability is due to exposed actuator endpoints evaluating user-controlled input via the GatewayEvaluationContext, allowing attackers to modify Spring Environment properties when the actuator...

Improper Authorization

org.springframework, spring-core is vulnerable to improper authorization. The vulnerability is due to incorrect annotation resolution on methods within type hierarchies that use unbounded generics, which allows an attacker to bypass security checks when Spring Security’s @EnableMethodSecurity...

Authorization Bypass

org.springframework.security, spring-security-core is vulnerable to Authorization Bypass. The vulnerability is due to improper resolution of annotations on methods within type hierarchies containing parameterized supertypes with unbounded generics, which allows an attacker to bypass authorization...

A Bootiful Podcast: Spring Security contributor Josh Cummings on the latest-and-greatest in Spring Security 7

Hi, Spring fans! In this installment we talk to Spring Security contributor and legend Josh Cummings...

Security Bulletin: Multiple vulnerabilities in Spring may affect IBM Business Automation Workflow - CVE-2024-38820, CVE-2025-22233

Summary IBM Business Automation Workflow packages vulnerable copies of Spring framework. Vulnerability Details CVEID:CVE-2024-38820 DESCRIPTION: The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase has some Locale dependent exceptio...

EUVD-2025-31861

A vulnerability was detected in code-projects E-Commerce Website 1.0. Impacted is an unknown function of the file /pages/editorderdetails.php. The manipulation of the argument orderid results in sql injection. The attack may be launched remotely. The exploit is now public and may be used...

Linux Distros Unpatched Vulnerability : CVE-2025-11226

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - ACE vulnerability in conditional configuration file processing by QOS.CH logback-core up to and including version 1.5.18 in Java applications, allows an attacke...

Security Bulletin: IBM Maximo Application Suite uses multiple third party dependencies which is vulnerable to CVEs.

Summary IBM Maximo Application Suite uses "eventlet-0.39.0-py3-none-any.whl, commons-lang3-3.17.0.jar, spring-core-6.2.10.jar" which is vulnerable to "CVE-2025-58068, CVE-2025-48924, CVE-2025-41249". This bulletin contains information regarding the vulnerability and how it is addressed...

Security Bulletin: IBM Sterling Connect:Direct Web Services vulnerable to spring-beans-6.2.3.jar (CVE-2025-41242)

Summary IBM Sterling Connect:Direct Web Services is vulnerable toPath Traversal Vulnerability in spring-beans-6.2.3. This has been addressed in new fixpacks available from Fix Central. Vulnerability Details CVEID:CVE-2025-41242 DESCRIPTION: Spring Framework MVC applications can be vulnerable to a...

Security Bulletin: IBM Sterling Connect:Direct Web Services is affected by a vulnerability in spring-security-core-6.4.3.jar (CVE-2025-41248)

Summary IBM Sterling Connect:Direct Web Services is vulnerable to Annotation detection mechanism may not correctly resolve annotations on methods in spring-security-core-6.4.3. This has been addressed in new fixpacks available from Fix Central. Vulnerability Details CVEID:CVE-2025-41248...

Security Bulletin: IBM Sterling Connect:Direct Web Services is affected by a vulnerability in spring-web-6.2.3.jar(CVE-2025-41234)

Summary IBM Sterling Connect:Direct Web Services is vulnerable to a reflected file download RFD attack in spring-web-6.2.3. This has been addressed in new fixpacks available from Fix Central. Vulnerability Details CVEID:CVE-2025-41234 DESCRIPTION: Description In Spring Framework, versions 6.0.x a...

EUVD-2020-11604

Malware in sbrugna...