Spring Data REST < 2.6.9 (Ingalls SR9) / 3.0.1 (Kay SR1) - PATCH Request Remote Code Execution

Spring Data REST 2.6.9 and 3.0.1, Spring Boot 1.5.9 and 2.0 M6 contain a remote code execution caused by processing malicious PATCH requests with crafted JSON data, letting attackers execute arbitrary Java code, exploit requires sending malicious PATCH requests. id: CVE-2017-8046 info: name: Spri...

This Week in Spring - April 21st, 2026

Hi Spring fans! Welcome to another installment of This Week in Spring! What a week it's been since we last talked. I was in Barcelona, Spain, for the amazing Spring I/O event there. It has become my favorite show, full stop. Just such an amazing experience. So many wonderful things going on there...

Exploit for Code Injection in Pivotal_Software Spring_Data_Commons

SpringBoot-Toolkit An interactive penetration-testing tool de...

This Week in Spring - April 7th, 2026

Hi Spring fans! Welcome to another installment of This Week in Spring! It's April 7th, 2026, and I'm on the road! I started the journey for the amazing Voxxed Days Amsterdam show and am now winding my way through France. I visited Colmar, a beautiful city from which the animators on Disney's Beau...

A Bootiful Podcast: Neo4j legend Jennifer Reif

Hi, Spring fans! In this installment, I talk to Jennifer Reif, developer advocate at Neo4J, about graph RAG, graph databases, GraphQL, Neo4J, Spring Data Neo4J, and more. neo4j graphRag AI artificialintelligence...

Moving beyond Strings in Spring Data

If you've worked with data access in Java and especially with Spring Data for a while, then you are familiar with various Query and Update programming models. You write data access code. You refactor a property name. You run your tests. They fail. Your query strings? Still pointing to the old...

This Week in Spring - February 24th, 2026

Hi, Spring fans! Welcome to another awesome and oh-so-agentic week in Spring! We've got a ton to look into, and I've got even more to prepare for next week's DevNexus event in Atlanta, GA, so let's dive right into it! Be sure to say "hi" if you're going to be there, though! You've heard of Agent...

CVE-2026-2818

A zip-slip path traversal vulnerability in Spring Data Geode's import snapshot functionality allows attackers to write files outside the intended extraction directory. This vulnerability appears to be susceptible on Windows OS only...

CVE-2026-2818

A zip-slip path traversal vulnerability in Spring Data Geode's import snapshot functionality allows attackers to write files outside the intended extraction directory. This vulnerability appears to be susceptible on Windows OS only...

com.netflix.ndbench:ndbench-cli (>=0.3.12 <=0.7.4), com.netflix.ndbench:ndbench-geode-plugins (>=0.3.5 <=0.7.4) +35 more potentially affected by CVE-2026-2818 via org.springframework.data:spring-data-geode (>=1.0.0.INCUBATING-RELEASE <=2.7.5)

org.springframework.data:spring-data-geode MAVEN version =1.0.0.INCUBATING-RELEASE, =0.3.12, =0.3.5, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =2.0.0.RELEASE, =2.0.0.RELEASE, =2.0.0.RELEASE, =2.0.0.RELEASE, =2.0.0.RELEASE, =2.0.0.RELEASE, =2.0.0.RELEASE, =2.0.0.RELEASE, =3.0.0, =3.2.1...

CVE-2026-2818 Zip Slip Path Traversal in Snapshot Archive Extraction (Windows-Specific)

A zip-slip path traversal vulnerability in Spring Data Geode's import snapshot functionality allows attackers to write files outside the intended extraction directory. This vulnerability appears to be susceptible on Windows OS only...

CVE-2026-2818 Zip Slip Path Traversal in Snapshot Archive Extraction (Windows-Specific)

A zip-slip path traversal vulnerability in Spring Data Geode's import snapshot functionality allows attackers to write files outside the intended extraction directory. This vulnerability appears to be susceptible on Windows OS only...

CVE-2026-2818

CVE-2026-2818 describes a zip-slip path traversal in Spring Data Geode’s import snapshot functionality, affecting Windows environments. The issue allows writing files outside the intended extraction directory during snapshot extraction, with impact described as confidentiality: Low , integrity: H...

Spring Data Geode 安全漏洞

Spring Data Geode is a software developed by Spring for configuring, operating, and accessing distributed data management systems. There is a security vulnerability in Spring Data Geode, which stems from a Zip Slip path traversal vulnerability in the import snapshot function. This vulnerability...

PT-2026-21245

A zip-slip path traversal vulnerability in Spring Data Geode's import snapshot functionality allows attackers to write files outside the intended extraction directory. This vulnerability appears to be susceptible on Windows OS only...

CVE-2026-2817

Use of insecure directory in Spring Data Geode snapshot import extracts archives into predictable, permissive directories under the system temp location. On shared hosts, a local user with basic privileges can access another user’s extracted snapshot contents, leading to unintended exposure of...

Creation of Temporary File in Directory with Insecure Permissions

Overview Affected versions of this package are vulnerable to Creation of Temporary File in Directory with Insecure Permissions due to the use of an insecure temporary directory during snapshot import operations. An attacker can access sensitive information by reading files from the temporary...

com.netflix.ndbench:ndbench-cli (>=0.3.12 <=0.7.4), com.netflix.ndbench:ndbench-geode-plugins (>=0.3.5 <=0.7.4) +35 more potentially affected by CVE-2026-2817 via org.springframework.data:spring-data-geode (>=1.0.0.INCUBATING-RELEASE <=2.7.5)

org.springframework.data:spring-data-geode MAVEN version =1.0.0.INCUBATING-RELEASE, =0.3.12, =0.3.5, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =2.0.0.RELEASE, =2.0.0.RELEASE, =2.0.0.RELEASE, =2.0.0.RELEASE, =2.0.0.RELEASE, =2.0.0.RELEASE, =2.0.0.RELEASE, =2.0.0.RELEASE, =3.0.0, =3.2.1...

CVE-2026-2817 Spring Data Geode Insecure Temporary Directory Usage

Use of insecure directory in Spring Data Geode snapshot import extracts archives into predictable, permissive directories under the system temp location. On shared hosts, a local user with basic privileges can access another user’s extracted snapshot contents, leading to unintended exposure of...

CVE-2026-2817

CVE-2026-2817 affects Spring Data Geode. The issue arises from using an insecure directory during snapshot imports: archives are extracted to predictable, overly permissive locations in the system temp directory. On shared hosts, a local user with basic privileges can access another user’s extrac...