Lucene search
K

214 matches found

OSV
OSV
added 2026/06/11 7:16 a.m.5 views

UBUNTU-CVE-2026-40997

Several Spring WS integration paths with Spring Security could surface detailed account state for example locked or disabled user semantics to remote SOAP clients through exception messages or callback outcomes, instead of failing with generic authentication errors. That behavior assists remote...

5.3CVSS5.4AI score0.00366EPSS
Exploits0References3
OSV
OSV
added 2026/06/11 7:16 a.m.6 views

UBUNTU-CVE-2026-40994

Wss4jSecurityInterceptor initialized its BSP WS-I Basic Security Profile compliance flag so that inbound validation disabled WSS4J BSP enforcement on RequestData. Services that validate WS-Security on the network could therefore accept messages that violate BSP rules, weakening protocol-level...

8.2CVSS5.2AI score0.00229EPSS
Exploits0References3
Snyk
Snyk
added 2026/06/11 6:10 a.m.7 views

Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

Overview org.springframework.webflow:spring-webflow is a maven plugin for Spring Web Flow. Affected versions of this package are vulnerable to Improper Neutralization of Special Elements used in an Expression Language Statement 'Expression Language Injection' via the WebFlowELExpressionParser...

7.2CVSS5.8AI score0.00225EPSS
Exploits0References2
NVD
NVD
added 2026/06/11 5:16 a.m.15 views

CVE-2026-40985

Applications that configure the WebFlowELExpressionParser are vulnerable to the use of malicious Unified EL expressions. Affected versions: Spring Web Flow 4.0.0; 3.0.0 through 3.0.1; 2.5.0 through 2.5.1...

6.4CVSS0.00225EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/06/11 5:4 a.m.10 views

CVE-2026-41000 WSS4J validation does not use configured replay cache

Wss4jSecurityInterceptor did not consistently wire Apache WSS4J ReplayCache instances into RequestData for validation-time checks. As a result, protections against replay of UsernameToken nonces and creation timestamps, Timestamp elements, and certain SAML one-time-use semantics could be...

3.7CVSS5.4AI score0.00223EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/06/11 5:4 a.m.10 views

CVE-2026-40999 Spring WS SSRF via unvalidated WS-Addressing reply destinations

When WS-Addressing is used with non-anonymous ReplyTo or FaultTo addresses, Spring WS may initiate outbound connections through configured WebServiceMessageSender instances to destinations taken directly from request headers without verifying that those destinations are safe to connect to. Affect...

8.6CVSS5.4AI score0.00383EPSS
Exploits0References1
CVE
CVE
added 2026/06/11 5:4 a.m.29 views

CVE-2026-40999

CVE-2026-40999 affects Spring Web Services (versions across 3.1.0–3.1.8, 4.0.0–4.0.18, 4.1.0–4.1.3, 5.0.0–5.0.1). When WS-Addressing is used with non-anonymous ReplyTo or FaultTo addresses, Spring WS can initiate outbound connections via configured WebServiceMessageSender instances to destination...

8.6CVSS5.5AI score0.00383EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/11 5:4 a.m.30 views

CVE-2026-40999 Spring WS SSRF via unvalidated WS-Addressing reply destinations

When WS-Addressing is used with non-anonymous ReplyTo or FaultTo addresses, Spring WS may initiate outbound connections through configured WebServiceMessageSender instances to destinations taken directly from request headers without verifying that those destinations are safe to connect to. Affect...

8.6CVSS0.00383EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/06/11 5:4 a.m.10 views

CVE-2026-40998 Jaxp13 XPath XXE via StreamSource and SAXSource

Jaxp13XPathTemplate evaluated XPath expressions for StreamSource and SAXSource inputs using a code path that parsed attacker-controlled XML with the JDK's default DocumentBuilderFactory behavior instead of Spring's hardened parser configuration. Applications that evaluate XPath against untrusted...

8.2CVSS5.5AI score0.00352EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/11 5:4 a.m.13 views

EUVD-2026-36208

Jaxp13XPathTemplate evaluated XPath expressions for StreamSource and SAXSource inputs using a code path that parsed attacker-controlled XML with the JDK's default DocumentBuilderFactory behavior instead of Spring's hardened parser configuration. Applications that evaluate XPath against untrusted...

8.2CVSS5.5AI score0.00352EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/11 5:4 a.m.11 views

EUVD-2026-36207

Several Spring WS integration paths with Spring Security could surface detailed account state for example locked or disabled user semantics to remote SOAP clients through exception messages or callback outcomes, instead of failing with generic authentication errors. That behavior assists remote...

5.3CVSS5.5AI score0.00366EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/11 5:4 a.m.28 views

CVE-2026-40997 SOAP security faults leak Spring Security account state

Several Spring WS integration paths with Spring Security could surface detailed account state for example locked or disabled user semantics to remote SOAP clients through exception messages or callback outcomes, instead of failing with generic authentication errors. That behavior assists remote...

5.3CVSS0.00366EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/06/11 5:4 a.m.9 views

CVE-2026-40996 Inbound WS-Security allows RSA PKCS#1 v1.5 key transport by default

Wss4jSecurityInterceptor defaulted allowRSA15KeyTransportAlgorithm to true, overriding Apache WSS4J's safer default for validation RequestData. Inbound WS-Security decryption could therefore accept RSA PKCS1 v1.5 rsa-15 encrypted key material unless operators explicitly reconfigured the flag...

4.8CVSS5.3AI score0.00129EPSS
Exploits0References1
CVE
CVE
added 2026/06/11 5:4 a.m.35 views

CVE-2026-40996

CVE-2026-40996 affects Spring Web Services where Wss4jSecurityInterceptor incorrectly defaults allowRSA15KeyTransportAlgorithm to true, overriding Apache WSS4J’s safer validation behavior for RequestData. This could allow RSA PKCS#1 v1.5 (rsa-1_5) encrypted key material in inbound WS-Security dec...

4.8CVSS5.5AI score0.00129EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/11 5:4 a.m.9 views

EUVD-2026-36205

X509AuthenticationProvider could issue a fully authenticated X509AuthenticationToken when a presented certificate mapped to UserDetails, without applying Spring Security's standard account lifecycle checks disabled, locked, expired, or credentials-expired accounts. Affected versions: Spring Web...

5.4CVSS5.4AI score0.00148EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/06/11 5:3 a.m.10 views

CVE-2026-40994 Wss4jSecurityInterceptor disables WS-I BSP validation by default

Wss4jSecurityInterceptor initialized its BSP WS-I Basic Security Profile compliance flag so that inbound validation disabled WSS4J BSP enforcement on RequestData. Services that validate WS-Security on the network could therefore accept messages that violate BSP rules, weakening protocol-level...

8.2CVSS5.3AI score0.00229EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/06/11 5:3 a.m.7 views

CVE-2026-40986 Spring Web Flow JS RemotingHandler renders non-HTML Response as HTML

Spring Web Flow's JavaScript RemotingHandler renders the body of an error response as HTML even when the response is not "text/html", which can result in a scripting attack in the user's browser if the error response from the server contains error details with input reflected from an attacker...

4.8CVSS5.3AI score0.00201EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/11 5:3 a.m.32 views

CVE-2026-40986 Spring Web Flow JS RemotingHandler renders non-HTML Response as HTML

Spring Web Flow's JavaScript RemotingHandler renders the body of an error response as HTML even when the response is not "text/html", which can result in a scripting attack in the user's browser if the error response from the server contains error details with input reflected from an attacker...

4.8CVSS0.00201EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/11 5:3 a.m.12 views

EUVD-2026-36201

Spring Web Flow's JavaScript RemotingHandler renders the body of an error response as HTML even when the response is not "text/html", which can result in a scripting attack in the user's browser if the error response from the server contains error details with input reflected from an attacker...

4.8CVSS5.3AI score0.00201EPSS
Exploits0References1
CVE
CVE
added 2026/06/11 5:3 a.m.25 views

CVE-2026-40986

Spring Web Flow vulnerability: JavaScript RemotingHandler renders the body of an error response as HTML even when the response is not text/html, enabling a scripting attack if server error details containing attacker-reflected input are returned. Affected versions: Spring Web Flow 4.0.0; 3.0.0–3....

4.8CVSS5.3AI score0.00201EPSS
Exploits0References1
Rows per page
Query Builder