Lucene search
K

1223 matches found

Spring Security Advisories
Spring Security Advisories
added 2026/06/09 12:0 a.m.7 views

CVE-2026-41694: SAML Payloads Decrypted Without Valid Signature

Since Spring Security SAML decrypts SAML Responses as well as elements of SAML LogoutRequests and LogoutResponses without requiring a valid signature, attackers may be able to craft these SAML payloads and use the Service Provider as a decryption oracle...

3.7CVSS5.8AI score0.00137EPSS
Exploits0References1Affected Software1
Spring Security Advisories
Spring Security Advisories
added 2026/06/09 12:0 a.m.7 views

CVE-2026-41706: Open Redirect When Using CookieRequestCache

Spring Security's CookieRequestCache and CookieServerRequestCache store the pre-authentication request URL in a browser cookie so that users can be redirected back to their intended destination after a successful login. In affected versions, the full absolute URL including scheme, host, and port ...

6.1CVSS5.8AI score0.00211EPSS
Exploits0References1Affected Software1
Circl
Circl
added 2026/06/08 7:18 a.m.7 views

CVE-2026-41720

creationtimestamp| type| source ---|---|--- 2026-06-08 07:18:37+00:00| seen| https://cyber.gc.ca/en/alerts-advisories/spring-security-advisory-av26-558...

7.4CVSS4.9AI score0.00257EPSS
Exploits0References1
IBM Security Bulletins
IBM Security Bulletins
added 2026/06/06 1:42 p.m.6 views

Security Bulletin: Due to use of spring-security-core-6.5.9.jar, IBM Sterling Connect:Direct Web Services is vulnerable to a Time-of-check Time-of-use (TOCTOU) race condition

Summary spring-security-core-6.5.9.jar is used by IBM Sterling Connect:Direct Web Services CVE-2026-22746, CVE-2026-22751. Vulnerability Details CVEID:CVE-2026-22746 DESCRIPTION: Vulnerability in Spring Spring Security. If an application is using the UserDetailsisEnabled, isAccountNonExpired, or...

4.8CVSS5.4AI score0.00215EPSS
Exploits0Affected Software1
CNNVD
CNNVD
added 2026/06/02 12:0 a.m.8 views

CicadasCMS 代码注入漏洞

CicadasCMS is a content management framework developed by the Chinese individual developer westboy, based on SpringBoot, Mybatis, SpringSecurity, and Vue. CicadasCMS has a code injection vulnerability, which stems from an unknown function issue in the task scheduling management module, specifical...

4.8CVSS4.9AI score0.0021EPSS
Exploits0References6
Tenable Nessus
Tenable Nessus
added 2026/05/22 12:0 a.m.7 views

Unity Linux 20.1070e Security Update: springframework (UTSA-2026-016711)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-016711 advisory. Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests ...

7.5CVSS7.1AI score0.02837EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/05/15 1:57 p.m.8 views

CVE-2026-34263

Due to improper Spring Security configuration, SAP Commerce Cloud allows an unauthenticated user to perform malicious input injection, resulting in arbitrary server-side code execution, leading to high impact on Confidentiality, Integrity, and Availability of the application...

9.6CVSS6AI score0.0061EPSS
Exploits0References1
F5 Networks
F5 Networks
added 2026/05/14 8:48 a.m.17 views

K000161272: Spring Security vulnerability CVE-2026-22753

Security Advisory Description Vulnerability in Spring Spring Security. If an application is using securityMatchersString and a PathPatternRequestMatcher.Builder bean to prepend a servlet path, matching requests to that filter chain may fail and its related security components will not be exercise...

7.5CVSS5.8AI score0.00248EPSS
Exploits0
EUVD
EUVD
added 2026/05/12 3:31 a.m.8 views

EUVD-2026-29372

Due to improper Spring Security configuration, SAP Commerce cloud allows an unauthenticated user to perform malicious configuration upload and code injection, resulting in arbitrary server-side code execution, leading to high impact on Confidentiality, Integrity, and Availability of the applicati...

9.6CVSS6AI score0.0061EPSS
Exploits0References3
NVD
NVD
added 2026/05/12 3:16 a.m.13 views

CVE-2026-34263

Due to improper Spring Security configuration, SAP Commerce Cloud allows an unauthenticated user to perform malicious input injection, resulting in arbitrary server-side code execution, leading to high impact on Confidentiality, Integrity, and Availability of the application...

9.6CVSS0.0061EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/05/12 2:20 a.m.10 views

CVE-2026-34263 Missing authentication check in SAP Commerce cloud configuration

Due to improper Spring Security configuration, SAP Commerce Cloud allows an unauthenticated user to perform malicious input injection, resulting in arbitrary server-side code execution, leading to high impact on Confidentiality, Integrity, and Availability of the application...

9.6CVSS6AI score0.0061EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/05/12 2:20 a.m.6 views

CVE-2026-34263

Due to improper Spring Security configuration, SAP Commerce Cloud allows an unauthenticated user to perform malicious input injection, resulting in arbitrary server-side code execution, leading to high impact on Confidentiality, Integrity, and Availability of the application...

9.6CVSS6AI score0.0061EPSS
Exploits0References3
Circl
Circl
added 2026/05/11 9:4 a.m.9 views

CVE-2026-41713

creationtimestamp| type| source ---|---|--- 2026-05-11 09:04:11+00:00| seen| https://cyber.gc.ca/en/alerts-advisories/spring-security-advisory-av26-443 2026-05-11 12:05:29+00:00| seen| https://bsky.app/profile/o2cloud.bsky.social/post/3mllabzqe2i2x 2026-05-12 11:59:24+00:00| seen|...

8.2CVSS5.7AI score0.00218EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/05/11 12:0 a.m.21 views

PT-2026-39922

Name of the Vulnerable Software and Affected Versions SAP Commerce cloud affected versions not specified Description Improper Spring Security configuration allows an unauthenticated user to perform malicious configuration upload and code injection. This can result in arbitrary server-side code...

10CVSS6AI score0.0061EPSS
Exploits0References22
IBM Security Bulletins
IBM Security Bulletins
added 2026/05/05 6:22 p.m.28 views

Security Bulletin: Vulnerabilities in Spring WebFlux, Jenkins, Spring Securiy, Spring Framework, and Node.js lodash might affect IBM Storage Defender Copy Data Management.

Summary IBM Storage Defender Copy Data Management can be affected by vulnerabilities in Spring WebFlux, Jenkins, Spring Securiy, Spring Framework, and Node.js lodash. Vulnerabilities include an attacker, local attacker, remote attacker and authenticated attacker could exploit these vulnerabilitie...

9.8CVSS8.7AI score0.2241EPSS
Exploits15Affected Software1
Veracode
Veracode
added 2026/04/30 7:50 a.m.9 views

Sensitive Information Disclosure

Spring Security is vulnerable to Sensitive Information Disclosure. The vulnerability is due to bypass of timing attack protections in DaoAuthenticationProvider when handling disabled, expired, or locked user states, which allows an attacker to infer user account status through response timing...

3.7CVSS5.2AI score0.00215EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2026/04/30 12:36 a.m.4 views

CLEANSTART-2026-GN46454 When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written

Multiple security vulnerabilities affect the apache-nifi package. When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written. See references for individual vulnerability details...

9.8CVSS8.4AI score0.01125EPSS
Exploits3References18
Veracode
Veracode
added 2026/04/29 1:18 p.m.17 views

Improper Access Control

Spring Security is vulnerable to Improper Access Control. The vulnerability is due to incorrect request matching when using securityMatchersString with a PathPatternRequestMatcher.Builder that prepends a servlet path, causing requests to bypass the intended filter chain and leaving authentication...

7.5CVSS5.8AI score0.00248EPSS
Exploits0References2Affected Software1
Veracode
Veracode
added 2026/04/29 1:3 p.m.9 views

Certificate Impersonation

spring-security-web is vulnerable to certificate impersonation. The vulnerability is due to improper parsing of malformed X.509 certificate CN values in SubjectX500PrincipalExtractor, which can result in extracting an incorrect username and allow attackers to impersonate another user...

8.1CVSS5.2AI score0.00296EPSS
Exploits0References5Affected Software1
Veracode
Veracode
added 2026/04/29 11:31 a.m.8 views

Authorization Bypass

spring-security-config is vulnerable to Authorization Bypass. The vulnerability is due to incorrect handling of the servlet-path attribute in , where the servlet path is not included when computing the path matcher, causing defined authorization rules to be skipped and allowing unauthorized acces...

7.5CVSS5.1AI score0.00266EPSS
Exploits0References5Affected Software1
Rows per page
Query Builder