CVE-2026-41007

Spring HATEOAS maintains an unbounded static cache of StringLinkRelation instances keyed on attacker-supplied strings. Affected versions: Spring HATEOAS 1.5.0 through 1.5.6; 2.3.0 through 2.3.4; 2.4.0 through 2.4.1; 2.5.0 through 2.5.2; 3.0.0 through 3.0.3...

CVE-2026-41006

Spring HATEOAS's internal PropertyUtils.createObjectFromProperties method, used by the Collection+JSON and UBER media type deserializers, performs bean property binding via reflection without consulting Jackson access-control annotations. Affected versions: Spring HATEOAS 1.5.0 through 1.5.6; 2.3...

CVE-2026-41007 Spring HATEOAS heap exhaustion through unbounded internal caching

Spring HATEOAS maintains an unbounded static cache of StringLinkRelation instances keyed on attacker-supplied strings. Affected versions: Spring HATEOAS 1.5.0 through 1.5.6; 2.3.0 through 2.3.4; 2.4.0 through 2.4.1; 2.5.0 through 2.5.2; 3.0.0 through 3.0.3...

EUVD-2026-35346

Spring HATEOAS maintains an unbounded static cache of StringLinkRelation instances keyed on attacker-supplied strings. Affected versions: Spring HATEOAS 1.5.0 through 1.5.6; 2.3.0 through 2.3.4; 2.4.0 through 2.4.1; 2.5.0 through 2.5.2; 3.0.0 through 3.0.3...

CVE-2026-41006

Spring HATEOAS contains a deserialization vulnerability where internal PropertyUtils.createObjectFromProperties binds bean properties via reflection without honoring Jackson access-control annotations. This affects multiple supported branches: 1.5.x, 2.3.x, 2.4.x, 2.5.x, and 3.0.x up to 3.0.3. Th...

EUVD-2026-35345

Spring HATEOAS's internal PropertyUtils.createObjectFromProperties method, used by the Collection+JSON and UBER media type deserializers, performs bean property binding via reflection without consulting Jackson access-control annotations. Affected versions: Spring HATEOAS 1.5.0 through 1.5.6; 2.3...

CVE-2026-41006 Spring HATEOAS Collection+JSON/UBER deserializers do not honor Jackson configuration

Spring HATEOAS's internal PropertyUtils.createObjectFromProperties method, used by the Collection+JSON and UBER media type deserializers, performs bean property binding via reflection without consulting Jackson access-control annotations. Affected versions: Spring HATEOAS 1.5.0 through 1.5.6; 2.3...

PT-2026-47644

Spring HATEOAS's internal PropertyUtils.createObjectFromProperties method, used by the Collection+JSON and UBER media type deserializers, performs bean property binding via reflection without consulting Jackson access-control annotations. Affected versions: Spring HATEOAS 1.5.0 through 1.5.6; 2.3...

PT-2026-47645

Spring HATEOAS maintains an unbounded static cache of StringLinkRelation instances keyed on attacker-supplied strings. Affected versions: Spring HATEOAS 1.5.0 through 1.5.6; 2.3.0 through 2.3.4; 2.4.0 through 2.4.1; 2.5.0 through 2.5.2; 3.0.0 through 3.0.3...

EUVD-2023-1992

Malicious code in bioql PyPI...

CVE-2023-34036

Reactive web applications that use Spring HATEOAS to produce hypermedia-based responses might be exposed to malicious forwarded headers if they are not behind a trusted proxy that ensures correctness of such headers, or if they don't have anything else in place to handle and possibly discard...

This Week in Spring - July 16th, 2024

Hi, Spring fans! Welcome to another installment of This Week in Spring! It's the middle of July! I can't believe it! Things have been just rushing by! did you see this awesome talk on observability by Tommy Ludwig and Jonatan Ivanov from Spring IO 2024? What is a ReadWriteLock? Spring for GraphQL...

This Week in Spring - April 16th, 2024

Hi, Spring fans! Welcome to another installment of This Week in Spring! I'm writing this from beautiful Paris, France, ahead of the amazing Devoxx France event. I've come to almost all of these events over the years. It's hard to believe it's been more than a decade since the show was first...

This Week in Spring - March 19th, 2024

Hi, Spring fans! And happy Java 22 release day to those who celebrate! I just put out a huge blog detailing many of the exciting new features in Java 22. Check it out! As usual, we've got a packed roundup to get through this week so let's dive right into it! the Spring Authorization Server 1.3.0-...

This Week in Spring - October 3rd, 2023

Hi Spring fans! Welcome to another installment of This Week in Spring! How're you doin'? I've just flown in from Singapore - where I was keynoting and presenting at SpringOne Singapore - and am now in Antwerp, Belgium for the deliriously fun Devoxx Belgium show. I've missed this show, and it's a...

Security Bulletin: Multiple security vulnerabilities affecting Watson Knowledge Catalog for IBM Cloud Pak for Data

Summary Multiple security vulnerabilities impacting Watson Knowledge Catalog for IBM Cloud Pak for Data. These vulnerabilities have been addressed. Vulnerability Details CVEID:CVE-2023-34462 DESCRIPTION: Netty is vulnerable to a denial of service, caused by a flaw with allocating up to 16MB of he...

This Week in Spring - July 18th, 2023

Hi, Spring fans! Welcome to another installment of This Week in Spring! I'm in crazy cool Kuala Lumpur, Malaysia. If you're around, I'll be doing a presentation this Thursday the 20th of July, and I'd love to see you there! Then, after a quick vacation, it's off to Tokyo, Japan, where I'll also b...

be.personify.iam:personify-scim-server (>=2.1.0.RELEASE <=2.1.2.RELEASE), com.angorasix:parent-pom-spring-kotlin (>=0.2.2 <=0.3.1) +41 more potentially affected by CVE-2023-34036 via org.springframework.hateoas:spring-hateoas (=2.1.0)

org.springframework.hateoas:spring-hateoas MAVEN version =2.1.0 is affected by a known vulnerability. The following packages have a transitive dependency on org.springframework.hateoas:spring-hateoas and may be impacted: - be.personify.iam:personify-scim-server =2.1.0.RELEASE, =0.2.2, =4.1.5,...

am.ik.home:uaa-client (>=1.0.0 <=1.9.0), am.ik.home:uaa-integration-test (>=1.0.0 <=1.9.0) +922 more potentially affected by CVE-2023-34036 via org.springframework.hateoas:spring-hateoas (>=0.12.0.RELEASE <=1.5.4)

org.springframework.hateoas:spring-hateoas MAVEN version =0.12.0.RELEASE, =1.0.0, =1.0.0, =1.0.0, =1.1.0, =1, =1, =1, =1, =1, =1, =1.0.1.RELEASE, =1.0.0.RELEASE, =1.0.1.RELEASE, =1.1.8.RELEASE, =1.1.5.RELEASE, =2.0.9.RELEASE and more Source cves: CVE-2023-34036 Source advisory:...

be.personify.iam:personify-api (>=1.5.0.RELEASE <=1.5.1.RELEASE), be.personify.iam:personify-frontend (=1.5.1.RELEASE) +51 more potentially affected by CVE-2023-34036 via org.springframework.hateoas:spring-hateoas (>=2.0.0 <=2.0.4)

org.springframework.hateoas:spring-hateoas MAVEN version =2.0.0, =1.5.0.RELEASE, =1.5.0.RELEASE, =0.2.6, =1.6.9, =1.0, =1.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =2.0.0, =2.0.4 - com.wizzdi:FlexiCore =7.0.0 and more Source cves: CVE-2023-34036 Source advisory: OSV:GHSA-7M5C-FGWF-MWPH...