Is Java affected by EUVD-2026-16535?

Spring AI versions 1.0.0-1.0.4 and 1.1.0-1.1.3 contain a critical remote code execution vulnerability in the SimpleVectorStore component that allows unauthenticated attackers to execute arbitrary code by injecting malicious expressions through filter inputs.

EUVD-2026-16535

| CVE-2026-22738 CRITICAL

2026-03-27 vmware

GHSA-fvh3-672c-7p6c

9.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch Released

Mar 31, 2026 - 21:13 nvd

Patch available

EUVD ID Assigned

Mar 27, 2026 - 05:30 euvd

EUVD-2026-16535

Analysis Generated

Mar 27, 2026 - 05:30 vuln.today

CVE Published

Mar 27, 2026 - 05:21 nvd

CRITICAL 9.8

Description

In Spring AI, a SpEL injection vulnerability exists in SimpleVectorStore when a user-supplied value is used as a filter expression key. A malicious actor could exploit this to execute arbitrary code. Only applications that use SimpleVectorStore and pass user-supplied input as a filter expression key are affected. This issue affects Spring AI: from 1.0.0 before 1.0.5, from 1.1.0 before 1.1.4.

Analysis

Spring AI versions 1.0.0 through 1.0.4 and 1.1.0 through 1.1.3 allow unauthenticated remote code execution through Spring Expression Language (SpEL) injection in the SimpleVectorStore component when user-supplied input is incorporated into filter expression keys. This critical vulnerability (CVSS 9.8) enables attackers to execute arbitrary code without authentication on applications using SimpleVectorStore with untrusted filter input. …

Remediation

Within 24 hours: Identify all applications using Spring AI 1.0.0-1.0.4 or 1.1.0-1.1.3 and assess whether SimpleVectorStore processes untrusted user input in filter expressions. Within 7 days: Implement network segmentation and input validation controls (see compensating controls); disable SimpleVectorStore if not operationally critical. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +49

POC: 0

EUVD-2026-16535 vulnerability details – vuln.today

Back

EUVD-2026-16535

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

EUVD-2026-16535

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code