1949 matches found
Spring Framework - Path Traversal
Spring Framework MVC applications deployed as WAR or with embedded Servlet containers that do not reject suspicious URI sequences and serve static resources with Spring resource handling contain a path traversal vulnerability, letting attackers access unauthorized files, exploit requires...
CVE-2026-41845
A flaw was found in Spring Framework. Due to incorrect escaping when using JavaScriptUtils.javaScriptEscape, a remote attacker could inject malicious JavaScript code into a user's browser. This could lead to a cross-site scripting XSS vulnerability, allowing the attacker to execute arbitrary...
CVE-2026-41839
A flaw was found in Spring Framework. A remote attacker, by compromising a subdomain of a WebFlux application for example, through cross-site scripting XSS, could exploit this vulnerability to escalate privileges. This allows the attacker to exchange a known session ID for that of an authenticate...
CVE-2026-41844
A flaw was found in Spring Framework. A Spring MVC or Spring WebFlux application that configures a mapping for "/" without explicitly specifying the view name is vulnerable. An attacker can exploit this by crafting a malicious link, leading to an open redirect. This allows the attacker to redirec...
CVE-2026-41850
A flaw was found in Spring Framework. Applications that evaluate user-supplied Spring Expression Language SpEL expressions are vulnerable to an Algorithmic Denial of Service DoS. A remote attacker can exploit this by providing a specially crafted expression, which triggers excessive resource...
CVE-2026-41853
A flaw was found in Spring MVC and WebFlux applications, components of the Spring Framework. This vulnerability allows a remote, unauthenticated attacker to perform Multipart request smuggling attacks. Such an attack can lead to a low integrity impact, potentially enabling the attacker to bypass...
CVE-2026-41851
A flaw was found in Spring Framework. Applications that accept user-supplied Spring Expression Language SpEL expressions may be vulnerable to a Denial of Service DoS attack. This occurs if the evaluation of a SpEL expression triggers unbounded cache growth, consuming excessive resources and makin...
CVE-2026-41848
A flaw was found in Spring Framework. A remote attacker can exploit this vulnerability by providing a specially crafted regular expression pattern to the AntPathMatcher component. This can lead to a Regular Expression Denial of Service ReDoS condition, causing the application to become...
CVE-2026-41842
A flaw was found in the Spring Framework. This vulnerability allows a remote attacker to cause a Denial of Service DoS by exploiting how Spring MVC and WebFlux applications resolve static resources. This can lead to the affected application becoming unavailable. Mitigation Mitigation for this iss...
CVE-2026-41846
A flaw was found in Spring MVC applications, part of the Spring Framework. This vulnerability allows a remote attacker to inject arbitrary HTML or JavaScript code due to improper handling of user-supplied values in the cssClass, cssErrorClass, or cssStyle attributes of JSP form tags. Successful...
CVE-2026-41854
A flaw was found in Spring Framework. Due to incorrect host parsing in the UriComponentsBuilder component, applications that process externally provided URL strings may be vulnerable to a Server-Side Request Forgery SSRF attack. An SSRF attack allows an attacker to trick the server into making...
K000162161: Spring Framework vulnerability CVE-2026-41839
Security Advisory Description A WebFlux application with a compromised subdomain for example, compromised via cross-site scripting XSS is vulnerable to an escalation attack exchanging a known session ID for that of an authenticated user. Affected versions: Spring Framework 7.0.0 through 7.0.7;...
K000162156: Spring Framework vulnerability CVE-2026-41844
Security Advisory Description A Spring MVC or Spring WebFlux application which configures a mapping for "/" where the view name is not explicitly specified allows an attacker to craft a link resulting in a 302 redirect to an arbitrary external host via the redirect: prefix. Affected versions:...
K000162130: Spring Framework vulnerability CVE-2026-41851
Security Advisory Description Applications which accept user-supplied Spring Expression Language SpEL expressions may be vulnerable to a Denial of Service DoS attack if the evaluation of a SpEL expression triggers unbounded cache growth. Affected versions: Spring Framework 7.0.0 through 7.0.7;...
K000162041: Spring Framework vulnerabilities CVE-2026-41843 and CVE-2026-41846
Security Advisory Description CVE-2026-41843 Spring MVC and WebFlux applications are vulnerable to Path Traversal attacks when resolving static resources. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48. CVE-2026-41846 Spri...
Security Bulletin: IBM Terracotta is affected by a Spring Framework vulnerability that could allow Denial of Service (Dos) attacks, and Incorrect Authorization attacks
Summary IBM Terracotta uses Spring Framework as an application foundation within the product. Vulnerability Details CVEID:CVE-2026-41850 DESCRIPTION: Applications that evaluate user-supplied Spring Expression Language SpEL expressions are vulnerable to an Algorithmic Denial of Service DoS. By...
Security Bulletin: IBM Terracotta is affected by a Spring Framework vulnerability that could allow Cross-site Scripting attacks, Denial of Service (DoS) attacks, and Server-Side Request Forgery attacks
Summary IBM Terracotta uses Spring Framework as an application foundation within the product. Vulnerability Details CVEID:CVE-2026-41839 DESCRIPTION: A WebFlux application with a compromised subdomain for example, compromised via cross-site scripting XSS is vulnerable to an escalation attack...
Security Bulletin: IBM Terracotta is affected by a Spring Framework vulnerability that could allow Information Disclosure, Denial of Service (Dos) attacks, and Path Traversal attacks
Summary IBM Terracotta uses Spring Framework as an application foundation within the product. Vulnerability Details CVEID:CVE-2026-41841 DESCRIPTION: Spring MVC and WebFlux applications are vulnerable to Information Disclosure attacks when resolving static resources. Affected versions: Spring...
Security Bulletin: IBM Terracotta is affected by multiple Spring Framework vulnerabilities that could allow exploiting WebSocket sessions and cross-site scripting
Summary IBM Terracotta uses Spring Framework as an application foundation within the product. Vulnerability Details CVEID:CVE-2026-41838 DESCRIPTION: IDs for WebSocket sessions in the spring-websocket module are not cryptographically unpredictable, which may be possible to exploit in combination...
Security Bulletin: Vulnerabilities in Spring Security, Apache Tomcat, Netty, Lodash, Spring Framework and Node.js might affect IBM Storage Defender Copy Data Management
Summary IBM Storage Defender Copy Data Management can be affected by vulnerabilities in Spring Security, Apache Tomcat, Netty, Lodash, Spring Framework and Node.js. Vulnerabilities include the authentication, authorization, and other security controls being rendered inactive on intended requests,...