best.skn:skn-spring-mail (>=1.0.0 <=2.4.0), ca.uhn.hapi.fhir:hapi-fhir-cli-api (>=7.0.0 <=8.8.1) +715 more potentially affected by CVE-2026-41901 via org.thymeleaf:thymeleaf-spring6 (>=3.1.0.M1 <=3.1.4.RELEASE)

org.thymeleaf:thymeleaf-spring6 MAVEN version =3.1.0.M1, =1.0.0, =7.0.0, =7.0.0, =7.0.0, =7.0.0, =7.0.0, =7.0.0, =7.0.0, =7.0.0, =7.0.0, =7.0.0, =7.6.0, =7.6.0, =7.0.0, =7.0.0, =8.8.1 and more Source cves: CVE-2026-41901 Source advisory: SNYK:JAVA-ORGTHYMELEAF-16419367...

Expression Language Injection

Overview Affected versions of this package are vulnerable to Expression Language Injection when dynamically loading classes, which allows server-side template injection that crosses the intended sandbox boundary. An attacker can execute unauthorized expressions with the privileges of the server b...

ai.hyacinth.framework:core-service-admin-server (>=0.5.0 <=0.5.24), au.org.consumerdatastandards:client-cli (>=1.1.1 <=2.4.1) +1472 more potentially affected by CVE-2026-41901 via org.thymeleaf:thymeleaf-spring5 (>=3.0.10.RELEASE <=3.1.3.RELEASE)

org.thymeleaf:thymeleaf-spring5 MAVEN version =3.0.10.RELEASE, =0.5.0, =1.1.1, =3.4.0, =5.6.5, =4.1.0, =4.1.0, =3.7.0, =3.7.0, =5.3.0, =6.2.0, =5.1.0, =6.8.0, =6.4.0, =5.3.0, =3.7.0, =5.5.7 and more Source cves: CVE-2026-41901 Source advisory: SNYK:JAVA-ORGTHYMELEAF-16419368...

Information Exposure

org.springframework.grpc, spring-grpc-core is vulnerable to information exposure through error messages. The vulnerability is due to returning raw server-side AuthenticationException messages in the gRPC status description, which allows an attacker to gather authentication failure details and...

CVE-2026-40466

A flaw was found in Apache ActiveMQ. An authenticated attacker can bypass a previous security fix by adding a connector using an HTTP Discovery transport through Jolokia, if the activemq-http module is present. A malicious HTTP endpoint can return a virtual machine VM transport, which allows the...

Improper Input Validation

org.apache.activemq, activemq-broker is vulnerable to Improper Input Validation. The vulnerability is due to insufficient validation in HTTP Discovery transport handling, which allows an authenticated attacker to bypass previous fixes and exploit broker configuration loading to execute arbitrary...

CVE-2026-41044

A flaw was found in Apache ActiveMQ. An authenticated attacker can exploit an improper input validation vulnerability in the admin web console to craft a malicious broker name. This malicious name, containing an xbean binding, can be used by a virtual machine VM transport to load a remote Spring...

CVE-2026-22741

A flaw was found in Spring MVC and Spring WebFlux applications. A remote attacker can exploit this vulnerability by sending malicious requests to poison the resource cache with incorrectly encoded resources. This can lead to a denial of service DoS by disrupting the front-end application for...

CVE-2026-40974

A flaw was found in Spring Boot's Cassandra auto-configuration. This vulnerability allows an adjacent attacker to bypass hostname verification during SSL Secure Sockets Layer connection establishment to Cassandra. This could enable a man-in-the-middle attack, potentially leading to unauthorized...

CVE-2026-40971

A flaw was found in Spring Boot. When configured to use an SSL Secure Sockets Layer bundle, Spring Boot's RabbitMQ auto-configuration does not perform hostname verification when connecting to the RabbitMQ broker. This vulnerability could allow an attacker on the same network to intercept or alter...

Spring Office Hours Podcast: S5E14 - Spec Driven Development with Simon Martinelli

Join Dan Vega and DaShaun Carter for the latest updates from the Spring Ecosystem. In this episode, Dan and DaShaun are joined by Java Champion, Vaadin Champion, and Oracle ACE Pro Simon Martinelli to talk about Spec-Driven Development. With AI reshaping how we write code, Simon makes the case th...

Linux Distros Unpatched Vulnerability : CVE-2026-40974

"The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Spring Boot's Cassandra auto-configuration does not perform hostname verification when establishing an SSL connection to Cassandra. Affected: Spring Boot...

Linux Distros Unpatched Vulnerability : CVE-2026-22741

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Spring MVC and WebFlux applications are vulnerable to cache poisoning when resolving static resources. More precisely, an application can be vulnerable when all...

Sensitive Information Disclosure

Spring Security is vulnerable to Sensitive Information Disclosure. The vulnerability is due to bypass of timing attack protections in DaoAuthenticationProvider when handling disabled, expired, or locked user states, which allows an attacker to infer user account status through response timing...

CLEANSTART-2026-GN46454 When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written

Multiple security vulnerabilities affect the apache-nifi package. When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written. See references for individual vulnerability details...

Spring AI 1.0.x < 1.0.6 / 1.1.x < 1.1.5 Multiple Vulnerabilities

The version of Spring AI installed on the remote host is 1.0.x prior to 1.0.6 or 1.1.x prior to 1.1.5. It is, therefore, affected by multiple vulnerabilities, including: - A SQL injection vulnerability in CosmosDBVectorStore allows attackers to execute arbitrary SQL queries via crafted document...

Apache ActiveMQ < 5.19.6 / 6.x < 6.2.5 Multiple Vulnerabilities

The version of Apache ActiveMQ running on the remote host is prior to 5.19.6 or 6.x prior to 6.2.5. It is, therefore, affected by multiple vulnerabilities: - An authenticated attacker may bypass the fix in CVE-2026-34197 by adding a connector using an HTTP Discovery transport via...

Security Bulletin: Multiple Vulnerabilities in IBM CloudPak for AIOps

Summary Multiple vulnerabilities were addressed in IBM Cloud Pak for AIOps version 4.13.1 Vulnerability Details CVEID:CVE-2026-22737 DESCRIPTION: Use of Java scripting engine enabled e.g. JRuby, Jython template views in Spring MVC and Spring WebFlux applications can result in disclosure of conten...

Improper Access Control

Spring Security is vulnerable to Improper Access Control. The vulnerability is due to incorrect request matching when using securityMatchersString with a PathPatternRequestMatcher.Builder that prepends a servlet path, causing requests to bypass the intended filter chain and leaving authentication...

Certificate Impersonation

spring-security-web is vulnerable to certificate impersonation. The vulnerability is due to improper parsing of malformed X.509 certificate CN values in SubjectX500PrincipalExtractor, which can result in extracting an incorrect username and allow attackers to impersonate another user...