Total CVEs

141,292

Critical Severity

3,799

High Severity

13,738

Last 7 Days

1,859
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 6,181 - 6,200 of 37,697 CVEs
CVE-2026-41855 HIGH - 8.1

In an untrusted JMS environment, org.springframework.jms.support.converter.MappingJackson2MessageConverter and org.springframework.jms.support.converter.JacksonJsonMessageConverter allow arbitrary class instantiation, which can lead to unauthorized actions via gadget class deserialization. Affected...

Vendor: Spring
Product: Spring Framework
Published: Jun 09, 2026
Source: NVD
CVE-2026-41854 MEDIUM - 4.2

Due to incorrect host parsing, applications that rely on UriComponentsBuilder to parse and validate an externally provided URL string may be exposed to a server-side request forgery (SSRF) attack. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18.

Vendor: Spring
Product: Spring Framework
Published: Jun 09, 2026
Source: NVD
CVE-2026-41853 MEDIUM - 5.3

Spring MVC and WebFlux applications are vulnerable to Multipart request smuggling attacks. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.

Vendor: Spring
Product: Spring Framework
Published: Jun 09, 2026
Source: NVD

A vulnerability in Spring Expression Language (SpEL) evaluation logic allows for arbitrary zero-argument method invocation, even within restricted or read-only contexts, which may allow an attacker to invoke unintended application logic. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2....

Vendor: Spring
Product: Spring Framework
Published: Jun 09, 2026
Source: NVD
CVE-2026-41851 MEDIUM - 5.3

Applications which accept user-supplied Spring Expression Language (SpEL) expressions may be vulnerable to a Denial of Service (DoS) attack if the evaluation of a SpEL expression triggers unbounded cache growth. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 th...

Vendor: Spring
Product: Spring Framework
Published: Jun 09, 2026
Source: NVD
CVE-2026-41850 HIGH - 7.5

Applications that evaluate user-supplied Spring Expression Language (SpEL) expressions are vulnerable to an Algorithmic Denial of Service (DoS). By providing a specially crafted expression, an attacker can trigger excessive resource consumption during evaluation, leading to application degradation o...

Vendor: Spring
Product: Spring Framework
Published: Jun 09, 2026
Source: NVD
CVE-2026-41849 HIGH - 7.5

An integer overflow vulnerability exists in the evaluation logic of the Spring Expression Language (SpEL). An attacker can exploit this by supplying a specially crafted SpEL expression that triggers excessive resource consumption, resulting in a Denial of Service (DoS). Affected versions: Spring Fr...

Vendor: Spring
Product: Spring Framework
Published: Jun 09, 2026
Source: NVD

Applications may be vulnerable to a Regular Expression Denial of Service (ReDoS) attack if an attacker is able to provide a pattern which is then directly or indirectly supplied to one of the following methods in AntPathMatcher: match(String pattern, String path), matchStart(String pattern, String p...

Vendor: Spring
Product: Spring Framework
Published: Jun 09, 2026
Source: NVD
CVE-2026-41847 MEDIUM - 4.8

Spring WebFlux applications may be vulnerable to a security bypass when using the Kotlin Router DSL. Affected versions: Spring Framework 5.3.0 through 5.3.48.

Vendor: Spring
Product: Spring Framework
Published: Jun 09, 2026
Source: NVD
CVE-2026-41846 MEDIUM - 5.9

Spring MVC applications which accept user-supplied values in the cssClass, cssErrorClass, or cssStyle attributes of JSP form tags allow arbitrary HTML/JavaScript code injection, potentially resulting in a cross-site scripting (XSS) vulnerability. Affected versions: Spring Framework 7.0.0 through 7....

Vendor: Spring
Product: Spring Framework
Published: Jun 09, 2026
Source: NVD
CVE-2026-41845 HIGH - 7.1

Due to incorrect escaping, the use of JavaScriptUtils.javaScriptEscape() may lead to JavaScript code injection in the browser, potentially resulting in a cross-site scripting (XSS) vulnerability. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5....

Vendor: Spring
Product: Spring Framework
Published: Jun 09, 2026
Source: NVD
CVE-2026-41844 MEDIUM - 4.2

A Spring MVC or Spring WebFlux application which configures a mapping for "/**" where the view name is not explicitly specified allows an attacker to craft a link resulting in a 302 redirect to an arbitrary external host via the redirect: prefix. Affected versions: Spring Framework 7.0.0 ...

Vendor: Spring
Product: Spring Framework
Published: Jun 09, 2026
Source: NVD
CVE-2026-41843 MEDIUM - 5.9

Spring MVC and WebFlux applications are vulnerable to Path Traversal attacks when resolving static resources. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.

Vendor: Spring
Product: Spring Framework
Published: Jun 09, 2026
Source: NVD
CVE-2026-41842 HIGH - 7.5

Spring MVC and WebFlux applications are vulnerable to Denial of Service (DoS) attacks when resolving static resources. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.

Vendor: Spring
Product: Spring Framework
Published: Jun 09, 2026
Source: NVD
CVE-2026-41841 MEDIUM - 5.9

Spring MVC and WebFlux applications are vulnerable to Information Disclosure attacks when resolving static resources. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.

Vendor: Spring
Product: Spring Framework
Published: Jun 09, 2026
Source: NVD
CVE-2026-41840 MEDIUM - 5.9

Spring WebFlux applications are vulnerable to Denial of Service (DoS) attacks when processing multipart requests. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.

Vendor: Spring
Product: Spring Framework
Published: Jun 09, 2026
Source: NVD
CVE-2026-41839 MEDIUM - 4.2

A WebFlux application with a compromised subdomain (for example, compromised via cross-site scripting (XSS)) is vulnerable to an escalation attack exchanging a known session ID for that of an authenticated user. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 th...

Vendor: Spring
Product: Spring Framework
Published: Jun 09, 2026
Source: NVD
CVE-2026-41838 MEDIUM - 4.8

IDs for WebSocket sessions in the spring-websocket module are not cryptographically unpredictable, which may be possible to exploit in combination with inadequate authorization rules. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through ...

Vendor: Spring
Product: Spring Framework
Published: Jun 09, 2026
Source: NVD
CVE-2026-41720 HIGH - 7.4

Spring LDAP's DirContextAuthenticationStrategy implementations do not reject a bind request where a non-empty username is paired with an empty or null password. Affected versions: Spring LDAP 2.4.0 through 2.4.4; 3.2.0 through 3.2.17; 3.3.0 through 3.3.7; 4.0.0 through 4.0.3.

Vendor: Spring
Product: Spring LDAP
Published: Jun 09, 2026
Source: NVD
CVE-2026-41715 MEDIUM - 6.1

In specific scenarios involving HTTP redirects from a secure to an insecure endpoint, the Reactor Netty HTTP client may leak credentials. In order for this to happen, the HTTP client must have been explicitly configured to follow redirects. Affected versions: Reactor Netty 1.0.0 through 1.0.51; 1.1...

Vendor: Spring
Product: Reactor Netty
Published: Jun 09, 2026
Source: NVD