Java
Monthly
Denial-of-service in Spring Cloud Sleuth 3.1.0 through 3.1.13 allows remote unauthenticated attackers to exhaust application availability by sending specially crafted calls processed by the spring-cloud-sleuth-instrumentation library when Spring TX (transaction) instrumentation is enabled. The flaw is network-reachable with low attack complexity and no user interaction (CVSS 7.5, AV:N/AC:L/PR:N), but there is no public exploit identified at time of analysis and no CISA KEV listing. Impact is limited to availability - no confidentiality or integrity compromise is possible.
NoSQL/query injection in Spring AI Vector Stores (1.0.0-1.0.8 and 1.1.0-1.1.7) allows remote unauthenticated attackers to inject special characters into vector-store inputs and force execution of arbitrary queries against Elasticsearch, OpenSearch, and GemFire VectorDB backends. The flaw resides in the spring-ai-elasticsearch-store, spring-ai-opensearch-store, and spring-ai-gemfire-store components, enabling information disclosure and limited integrity/availability impact against any application embedding Spring AI's vector-store abstraction. No public exploit identified at time of analysis, but the CVSS 8.6 (scope unchanged here, network vector, no privileges) makes this a high-priority patch for any Spring AI deployment ingesting untrusted text.
Improper access control in File Browser (filebrowser/filebrowser, Go) versions <= 2.63.6 lets a user with share/download permissions create a public share for a path that does not yet exist; because the share record stores only a path string and is never bound to a concrete object, the link silently begins exposing whatever file later appears at that path via GET /api/public/dl/<hash>. The flaw mirrors the Android MediaProvider issue CVE-2026-0035 — the create handler omits an existence check before persisting the share. EPSS is very low (0.02%, 6th percentile) and there is no public exploit identified at time of analysis, but a step-by-step PoC is included in the GitHub Security Advisory.
PingDirectory's virtual attribute processing exposes an authenticated denial-of-service path capable of exhausting the Java heap, with cascading availability, confidentiality, and integrity impacts on all downstream identity-dependent systems. Authorized users with elevated directory privileges can trigger progressive, unreclaimed heap allocation by copying virtual attributes referencing `ds-privilege-name` values while recent login history is active. The vendor-assigned CVSS 4.0 score of 6.3 (Amber urgency) masks notably high subsequent-system impact ratings (SC:H/SI:H/SA:H), reflecting that the real organizational risk lies not in PingDirectory itself but in the authentication and authorization disruption cascading to every application integrated with the directory; no public exploit code or CISA KEV listing has been identified at time of analysis.
Authorization bypass in Spring for GraphQL (versions 1.0.0-1.0.6, 1.3.0-1.3.8, 1.4.0-1.4.5, and 2.0.0-2.0.3) allows remote attackers to invoke @Controller data fetcher methods whose security annotations are declared on parent classes or interfaces, because the framework's annotation detection does not consistently resolve annotations across type hierarchies. The flaw is rated CVSS 7.5 (confidentiality-only impact) and no public exploit identified at time of analysis, but the network-reachable, no-privilege CVSS vector makes any affected GraphQL endpoint a meaningful exposure.
Cross-Site WebSocket Hijacking in Spring for GraphQL allows remote attackers to execute arbitrary GraphQL operations under an authenticated victim's identity when the application has enabled the GraphQL WebSocket transport. The flaw stems from missing origin validation on WebSocket handshakes (CWE-346), affecting Spring for GraphQL 1.0.x, 1.3.x, 1.4.x, and 2.0.x branches up to 2.0.3. No public exploit identified at time of analysis, but the high CVSS (8.1) and reliance only on a single victim click make this a meaningful risk for any deployment exposing the WebSocket endpoint.
Remote code execution in Spring for GraphQL versions 1.3.0-1.3.8, 1.4.0-1.4.5, and 2.0.0-2.0.3 allows unauthenticated attackers to trigger unsafe deserialization by sending crafted paginated GraphQL queries against Connection-type fields. Exploitation requires that the application expose a paginated (Connection) field and that the classpath contains gadget classes leveraged during deserialization. No public exploit identified at time of analysis; EPSS sits at 0.34% (57th percentile) and the issue is not in CISA KEV, but a vendor patch is available.
Insecure temporary file handling in Spring Boot's ArtemisEmbeddedConfigurationFactory allows a local, low-privileged attacker on the same host to hijack the embedded Apache ActiveMQ Artemis broker's data directory before the application starts. By pre-creating the predictable static path or placing a symlink at that location, the attacker can redirect broker persistence writes - including application messages, journal files, and bindings - to an attacker-controlled filesystem location, yielding partial confidentiality, integrity, and availability impact. No public exploit has been identified at time of analysis, but the vulnerability spans five active Spring Boot release trains (2.7.x through 4.0.x), broadening aggregate exposure.
Replay attack protections in Spring Web Services are silently ineffective across multiple major branches due to Wss4jSecurityInterceptor failing to wire configured Apache WSS4J ReplayCache instances into the RequestData object at validation time. Operators who believe UsernameToken nonce replay, Timestamp replay, and SAML one-time-use checks are enforced are unknowingly running without those controls. A network-positioned attacker can intercept and replay valid WS-Security tokens - including credentials and SAML assertions - to re-execute previously-authorized SOAP operations, with no public exploit identified at time of analysis and no CISA KEV listing.
Server-Side Request Forgery in Spring Web Services (versions 3.1.0-3.1.8, 4.0.0-4.0.18, 4.1.0-4.1.3, and 5.0.0-5.0.1) allows remote unauthenticated attackers to coerce the server into initiating outbound HTTP connections to attacker-controlled or internal destinations by abusing WS-Addressing ReplyTo/FaultTo headers. The flaw stems from WebServiceMessageSender instances dispatching to destinations taken directly from SOAP request headers without validating that the targets are safe. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
XML External Entity (XXE) exposure in Spring Web Services' Jaxp13XPathTemplate allows remote attackers to abuse XPath evaluation over StreamSource and SAXSource inputs because the underlying parser falls back to the JDK's default DocumentBuilderFactory rather than Spring's hardened configuration. Affected versions span the 3.1.x, 4.0.x, 4.1.x and 5.0.x release lines, and while no public exploit was identified at time of analysis, the CVSS 8.2 vector (AV:N/AC:L/PR:N/UI:N) indicates that any service that feeds untrusted XML through this template can be reached by unauthenticated remote attackers. The flaw was reported by VMware/Spring and is tracked in the official Spring security advisory.
Information disclosure in Spring Web Services (Spring-WS) exposes account lifecycle state - such as locked, disabled, or expired status - to remote unauthenticated SOAP clients through verbose exception messages or callback outcomes during authentication processing. Affected are four actively maintained branches (3.1.x through 5.0.x) when the SOAP layer is integrated with Spring Security; the root cause is CWE-209, where error handling fails to normalize Spring Security's typed account-state exceptions into generic authentication failures. No public exploit code and no CISA KEV listing have been identified at time of analysis; however, the CVSS 5.3 (Medium) rating reflects genuine reconnaissance utility for account enumeration against exposed SOAP endpoints.
Spring Web Services' Wss4jSecurityInterceptor silently defaults allowRSA15KeyTransportAlgorithm to true, overriding Apache WSS4J's own safer default and permitting inbound WS-Security decryption to accept the weak RSA PKCS#1 v1.5 (rsa-1_5) key transport algorithm. This misconfiguration-by-default affects all four supported release trains (3.1.x, 4.0.x, 4.1.x, 5.0.x) and opens deployed SOAP services to Bleichenbacher-style adaptive chosen-ciphertext attacks against server-side RSA key material unless operators explicitly override the flag. No public exploit has been identified at time of analysis, and the CVSS-assigned high attack complexity (AC:H) reflects the significant number of oracle queries required to mount a practical attack.
X509AuthenticationProvider in Spring Web Services issues fully authenticated tokens from client certificates without enforcing Spring Security's account lifecycle checks, meaning disabled, locked, expired, or credentials-expired accounts can successfully authenticate. This affects all maintained release branches from 3.1.0 through 5.0.1 and was reported by VMware, the Spring project maintainer. No public exploit or CISA KEV listing has been identified at time of analysis, but the bypass is meaningful in environments that rely on account-disablement as the primary deprovisioning control rather than certificate revocation.
Insecure default initialization in Spring Web Services' Wss4jSecurityInterceptor disables WSS4J BSP (WS-I Basic Security Profile) enforcement on inbound RequestData, allowing remote attackers to submit SOAP messages that violate BSP-mandated WS-Security rules. Affected versions span 3.1.0-3.1.8, 4.0.0-4.0.18, 4.1.0-4.1.3, and 5.0.0-5.0.1, with no public exploit identified at time of analysis. The CVSS 8.2 score reflects high integrity impact because protocol-level cryptographic checks expected by downstream consumers are silently weakened.
Spring Boot's Mail auto-configuration omits hostname verification for SMTP over TLS/SSL, leaving applications exposed to man-in-the-middle interception of outbound email traffic on adjacent network segments. Three active release lines are affected - 3.4.x through 3.4.16, 3.5.x through 3.5.14, and 4.0.x through 4.0.6 - unless the deploying application has explicitly set the JavaMail property spring.mail.properties.mail.smtp.ssl.checkserveridentity=true to override the insecure default. No public exploit has been identified at time of analysis, but the flaw is present by default in any Spring Boot application that uses the built-in Mail auto-configuration with TLS/SSL and has not applied the corrective property.
Path traversal in Spring Integration's FTP/SFTP/SMB inbound adapters allows a malicious or compromised remote file server to write attacker-controlled files outside the configured local directory on any client polling it, affecting versions 5.5.0-5.5.20, 6.3.0-6.3.14, 6.4.0-6.4.11, 6.5.0-6.5.8, and 7.0.0-7.0.4. The flaw inverts the usual trust model - the file-transfer client trusts the server's filename, enabling overwrite of arbitrary host files such as configuration, cron, or application JARs, which can escalate to code execution. No public exploit identified at time of analysis, but the issue is straightforward to weaponize once a hostile server endpoint is reachable.
Reflected XSS in Spring Web Flow's JavaScript RemotingHandler allows an authenticated attacker to inject and execute arbitrary scripts in a victim's browser by embedding malicious content in input that the server reflects within error response bodies. The RemotingHandler renders these error bodies as HTML regardless of the declared Content-Type, bypassing MIME-type enforcement. Affected versions span the 2.5.x, 3.0.x, and 4.0.0 release lines; no public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV.
Expression Language Injection in Spring Web Flow exposes applications explicitly configured with WebFlowELExpressionParser to evaluation of malicious Unified EL expressions submitted by authenticated low-privilege users. Affected versions span the 2.5.x, 3.0.x, and 4.0.0 release lines; exploitation requires both non-default configuration and user interaction, which meaningfully constrains real-world risk despite the High confidentiality and integrity impact ratings. No public exploit code and no CISA KEV listing have been identified at time of analysis.
Authentication bypass via X.509 certificate impersonation in Spring Security affects versions 5.7.0-5.7.24, 5.8.0-5.8.26, 6.3.0-6.3.17, 6.4.0-6.4.17, and 6.5.0-6.5.10, where the SubjectDnX509PrincipalExtractor mishandles malformed Common Name (CN) values and resolves the principal to the wrong identity. An attacker holding a carefully crafted client certificate can authenticate as a different legitimate user, gaining their privileges. No public exploit identified at time of analysis, and the EPSS score of 0.02% (4th percentile) reflects no observed exploitation activity.
Spring Data REST's Querydsl integration exposes arbitrary persistent entity property paths as request-parameter filter keys without first applying Jackson serialization customizations such as @JsonIgnore or @JsonView, allowing unauthenticated remote attackers to probe and extract values of fields that developers intentionally suppressed from the API surface. All major release trains from 3.7.x through 5.0.x are affected across a broad Spring Boot installation base. No active exploitation has been confirmed (not listed in CISA KEV) and no public exploit code has been identified at time of analysis, though the no-auth, low-complexity network vector makes this straightforward to abuse against misconfigured deployments.
Insecure deserialization in Spring for Apache Pulsar's JsonPulsarHeaderMapper allows remote attackers to bypass trusted-package controls and potentially trigger arbitrary Java object instantiation through Pulsar message headers. The flaw stems from a prefix-based package match plus an unsafe empty-allow-list default, affecting versions 1.1.0-1.1.17, 1.2.0-1.2.17, and 2.0.0-2.0.5. No public exploit identified at time of analysis, but the CVSS 8.1 rating and CWE-502 classification place this firmly in the high-impact Java deserialization category that has historically yielded remote code execution.
Unsafe deserialization in Spring for Apache Kafka (versions 2.8.0-4.0.5 across multiple branches) allows a malicious Kafka producer to send crafted message headers that cause downstream consumers to instantiate arbitrary JDK types via Jackson. The flaw stems from a prefix-based trusted-packages check in JsonKafkaHeaderMapper and the deprecated DefaultKafkaHeaderMapper, which silently extends trust to every subpackage. No public exploit identified at time of analysis, but the bug class (CWE-502 with Jackson default typing) has a long history of leading to remote code execution in Spring/Java ecosystems.
Spring Data REST leaks persistence-layer internals - including database schema details, Hibernate/JPA exception messages, and query structures - by serializing the full exception cause chain directly into HTTP error response bodies. All five active release lines are affected (3.7.x, 4.3.x, 4.4.x, 4.5.x, and 5.0.x), and the CVSS vector confirms unauthenticated remote exploitation against default configurations with no user interaction required. No public exploit code has been identified and the vulnerability is not listed in CISA KEV; however, the zero-friction access conditions make any network-exposed Spring Data REST deployment a realistic target for automated reconnaissance that could enable follow-on, more damaging attacks.
Server-Side Expression Language (SpEL) injection in Spring Data REST allows authenticated remote attackers to execute arbitrary expressions by sending JSON Patch requests targeting Map-typed entity properties. Affected versions span 3.7.0 through 5.0.5, and successful exploitation yields high confidentiality and integrity impact (CVSS 8.1). No public exploit identified at time of analysis, but the low attack complexity and network reachability make this a credible threat to any exposed REST repository accepting application/json-patch+json.
Authorization bypass in Spring Data REST's JSON Patch handler allows remote unauthenticated attackers to modify protected entity fields by routing writes through intermediate path segments of a multi-segment JSON Pointer. The flaw affects Spring Data REST 3.7.x through 5.0.5 and carries a CVSS 7.5 (high) integrity-only impact; no public exploit has been identified at time of analysis and it is not listed in CISA KEV.
Improper input validation in Spring for Apache Kafka's non-blocking retry topic infrastructure allows an authenticated network producer to disrupt message processing availability across multiple major version lines. By injecting a crafted `retry_topic-attempts` header with an out-of-range integer value, an attacker causes the retry topic router to misidentify the message's position in the retry sequence, producing high availability impact (A:H per CVSS). Affected deployments span Spring for Apache Kafka 2.8.x through 4.0.x. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis.
Unbounded heap growth in Spring for Apache Kafka's DelegatingDeserializer allows an authenticated network producer to trigger a Denial of Service against any consumer application that opts into this deserializer. By flooding the consumer with Kafka records carrying unique, randomized spring.kafka.serialization.selector header values, an attacker forces unbounded cache growth on the consumer's JVM heap, ultimately inducing GC thrash and OutOfMemoryError. No public exploit identified at time of analysis, and this is not listed in the CISA KEV catalog, but the low-complexity, network-accessible attack surface warrants prompt remediation for affected deployments.
Uncontrolled resource consumption in Spring Data Commons exposes applications to a remote Denial of Service condition when two specific features are active simultaneously. An unauthenticated remote attacker can send a specially crafted HTTP request to any endpoint backed by a @ProjectedPayload-annotated controller method, triggering unbounded memory allocation that exhausts the JVM heap and crashes the application. The vulnerability spans eight major release lines (2.7.x through 4.0.x), making the potential blast radius broad across Spring-based Java backends. No public exploit code or CISA KEV listing has been identified at time of analysis, and the CVSS attack complexity rating of High reflects non-trivial preconditions that meaningfully limit opportunistic exploitation.
SpEL (Spring Expression Language) injection in Spring Data KeyValue and Spring Data Redis allows a network-accessible, low-privileged attacker to execute arbitrary SpEL expressions when applications pass unsanitized user-controlled Sort parameters directly to repository query methods delegating to SpelPropertyComparator. Affected versions span eight major release lines from 2.7.x through 4.0.x, making the exposure surface broad across Spring-based Java ecosystems. No public exploit identified at time of analysis and no CISA KEV listing, but the high confidentiality impact rating and network attack vector warrant prompt patching for any application that surfaces Sort query parameters to end users.
Remote code execution risk in Spring Data MongoDB arises from a SpEL expression injection flaw (CWE-917) triggered during parameter binding for repository methods annotated with @Query that use a capture-all placeholder. With CVSS 8.1 (AV:N/AC:H/PR:N/UI:N) and no public exploit identified at time of analysis, unauthenticated attackers who can influence query parameters reaching such a method could execute arbitrary SpEL expressions on the server.
Denial-of-service in Spring Data Commons (versions 2.7.0-4.0.5) allows remote unauthenticated attackers to exhaust JVM heap memory by repeatedly submitting unique property-name strings that are permanently retained in an internal property-lookup cache. The flaw maps to CWE-770 (Allocation of Resources Without Limits or Throttling) and carries a CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) reflecting purely availability impact. No public exploit identified at time of analysis and the issue is not currently listed in CISA KEV.
Improper certificate validation in Spring AMQP allows a network-positioned attacker to perform a man-in-the-middle attack against applications that configure broker connections via RabbitConnectionFactoryBean.setUri("amqps://...") without explicitly calling setUseSSL(true). Affected are Spring AMQP versions 2.4.0 through 4.0.3 across four release lines. Although TLS encryption is established, the absence of certificate chain validation and hostname verification means a rogue broker can impersonate the legitimate RabbitMQ instance, exposing message content in transit. No public exploit identified at time of analysis, and this CVE is not listed in CISA KEV.
Denial of Service in Spring Data Commons affects applications that parse Sort parameters, triggering a StackOverflowException via crafted input. All major supported and legacy branches from 2.7.x through 4.0.x are affected, making the blast radius exceptionally broad across the Spring ecosystem. CVSS rates this Medium (5.9) with a high attack complexity qualifier (AC:H), unauthenticated network access (PR:N), and full availability impact (A:H); no active exploitation is confirmed and no public exploit code has been identified at time of analysis.
Open redirect in Spring Security's cookie-based saved-request components allows remote unauthenticated attackers to redirect authenticated users to arbitrary external URLs immediately after a successful login. The CookieRequestCache (servlet stack) and CookieServerRequestCache (reactive/WebFlux stack) store the full pre-authentication URL in a browser cookie and use it without origin validation as the post-login Location target, making this exploitable via a socially engineered link. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, though the S:C scope change and PR:N attack profile make this a meaningful phishing enabler in any Spring Security deployment using cookie-backed saved requests.
Predictable correlation IDs in Spring AMQP's RabbitTemplate.sendAndReceive() expose request-reply messaging to correlation hijacking when a fixed reply queue is configured. Affected are all widely used Spring AMQP branches from 2.4.x through 4.0.x - a broad install base across Java enterprise applications. A network-positioned attacker with high privileges can exploit the sequential counter to predict future correlation IDs, enabling interception or injection of reply messages into the shared fixed reply queue. No public exploit code exists and this vulnerability is not listed in CISA KEV; CVSS 4.4 Medium reflects real-world limitations from high privilege and complexity requirements despite the changed scope indicator.
Boolean-based blind query injection in Spring Data Relational (JDBC and R2DBC) allows remote unauthenticated attackers to infer database contents by supplying wildcard characters to Query By Example (QBE) endpoints using StringMatcher modes STARTING, ENDING, or CONTAINING. The root cause is insufficient escaping of externally-controlled binding values before they reach the underlying query logic. No public exploit or CISA KEV listing has been identified at time of analysis, but the network-accessible, no-authentication-required attack surface makes this a meaningful exposure for any Spring Data application that exposes QBE search functionality.
Regex parameter binding in Spring Data MongoDB's @Query annotation fails to sufficiently quote user-supplied strings, enabling NoSQL injection that can manipulate query semantics. Unauthenticated remote attackers (PR:N, AV:N) who can influence the bound parameter in applications using this pattern may break out of the intended regular expression context to retrieve unintended documents, resulting in high-impact confidentiality compromise. No confirmed active exploitation or public exploit code has been identified at time of analysis; the CVSS Attack Complexity of High reflects a dependency on a specific application-level coding pattern.
Denial of service in Spring Data Commons 3.4.x, 3.5.x, and 4.0.x allows remote unauthenticated attackers to exhaust server resources by supplying crafted property path strings that the MappingContext resolves inefficiently. The flaw is reachable wherever applications expose property path parsing to untrusted input, and with CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) it is trivially triggerable, though no public exploit identified at time of analysis and the issue is not on the CISA KEV list.
Decryption oracle exposure in Spring Security's SAML module allows unauthenticated remote attackers (PR:N, AV:N per CVSS) to submit crafted SAML Responses, LogoutRequests, and LogoutResponses to a Service Provider endpoint and leverage the SP's private key for decryption without presenting a valid XML signature. Affected deployments span Spring Security 5.7.x through 7.0.x that use SAML-based SSO or Single Logout. No public exploit has been identified at time of analysis and EPSS data was not provided, but the attack class (XML encryption oracle) is well-documented in SAML security research and carries meaningful risk in identity-sensitive environments.
Spring Authorization Server's authorization endpoint fails to adequately validate the OAuth2/OIDC `request_uri` parameter, enabling unauthenticated remote attackers to craft authorization requests that bypass redirect URI validation entirely. Affected deployments running Spring Authorization Server 1.5.0-1.5.7 or Spring Security 7.0.0-7.0.5 can be exploited to redirect authenticated users to attacker-controlled destinations, a particularly elevated risk given that victims inherently trust the authorization server's domain during OAuth login flows. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Cross-site scripting in Spring Security's SAML 2.0 relying party support allows an attacker who can influence RelyingPartyRegistration values to inject malicious content into HTML forms generated by Spring Security filters, potentially leading to script execution in a victim's browser. The advisory and tagging characterize this as an XSS issue with possible code-execution implications in the browser context, affecting Spring Security 5.7.x through 7.0.x prior to the fixed maintenance releases. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Insecure deserialization in Spring Security 7.0.0 through 7.0.5 allows an attacker with write access to the saml2_asserting_party_metadata database table to store malicious serialized Java payloads in the verification_credentials or encryption_credentials columns, leading to code execution when the JdbcAssertingPartyMetadataRepository deserializes them. The flaw affects deployments using the JDBC-backed SAML 2.0 asserting-party metadata repository introduced in the Spring Security 7.x line. No public exploit identified at time of analysis and EPSS is very low (0.01%), but CVSS rates impact as High due to full confidentiality, integrity, and availability loss on the application.
XXE injection in Spring REST Docs exposes developer machines and CI runners to file disclosure when documentation-generating tests process responses from a remote API. Versions 4.0.0, 3.0.0-3.0.5, and 2.0.0.RELEASE-2.0.8.RELEASE of the spring-restdocs-webtestclient and spring-restdocs-restassured modules fail to disable XML external entity processing, allowing an attacker who controls the documented API endpoint to serve a malicious XML response. No confirmed active exploitation exists (not in CISA KEV), and no public exploit has been identified at time of analysis; however, the High confidentiality impact against developer and CI environments warrants prompt patching.
Denial of service in Spring Security's SAML 2.0 service provider module allows remote unauthenticated attackers to exhaust application memory by submitting a maliciously compressed SAML payload over the REDIRECT binding. The flaw stems from an unbounded inflater that decompresses attacker-controlled data without size limits, enabling a classic decompression-bomb attack against any Spring application using SAML Login or Logout. No public exploit identified at time of analysis, but the network-reachable, no-authentication CVSS profile (7.5 High) makes this a near-term patching priority for SAML-enabled deployments.
Reflected cross-site scripting in OpenClinic GA 5.351.19's DICOM image upload handler allows unauthenticated remote attackers to execute arbitrary JavaScript in authenticated users' browsers by embedding payloads in DICOM file metadata fields such as Study Description, which are reflected unsanitized through popup.jsp and archiving/uploadfiles_jsp.java. A publicly available proof-of-concept exists, and the researcher's published chain explicitly demonstrates escalation from this XSS primitive to remote code execution, materially elevating the real-world severity beyond the CVSS 5.3 score. No public exploit identified as confirmed actively exploited (CISA KEV) at time of analysis, but the healthcare context and documented RCE chain make this a high-priority finding for any OpenClinic GA deployment.
Memory exhaustion in Spring HATEOAS versions 1.5.0-1.5.6, 2.3.0-2.3.4, 2.4.0-2.4.1, 2.5.0-2.5.2, and 3.0.0-3.0.3 allows remote unauthenticated attackers to cause denial of service by sending requests with attacker-controlled link relation strings that accumulate indefinitely in an unbounded static cache of StringLinkRelation instances. With a CVSS 7.5 (high availability impact) and no public exploit identified at time of analysis, the issue is straightforward to trigger against any internet-facing Spring HATEOAS endpoint that derives link relations from request data. Not listed in CISA KEV.
Denial-of-service via improper access control in Spring HATEOAS affects versions 1.5.0-1.5.6, 2.3.0-2.3.4, 2.4.0-2.4.1, 2.5.0-2.5.2, and 3.0.0-3.0.3, where the internal PropertyUtils.createObjectFromProperties method performs reflection-based bean property binding while ignoring Jackson access-control annotations (@JsonIgnore, @JsonProperty access modes). Remote unauthenticated attackers sending crafted Collection+JSON or UBER media type payloads can bind to properties the developer explicitly marked as inbound-restricted, causing high-availability impact. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Unsafe JSON deserialization in Spring Framework's JMS message converters (MappingJackson2MessageConverter and JacksonJsonMessageConverter) lets an attacker who controls JMS message content instantiate arbitrary classes, enabling gadget-chain attacks that can escalate to unauthorized actions or remote code execution. It affects Spring Framework 5.3.0-5.3.48, 6.1.0-6.1.27, 6.2.0-6.2.18, and 7.0.0-7.0.7 when applications consume messages from an untrusted JMS source. There is no public exploit identified at time of analysis, and despite a 9.8 CVSS the EPSS probability is only 0.04% and CISA SSVC rates exploitation as 'none'.
Server-side request forgery (SSRF) in Spring Framework's UriComponentsBuilder affects applications that use this API to parse and validate externally supplied URL strings. Incorrect host parsing allows a remote, unauthenticated attacker - with user interaction - to cause the application server to issue requests to unintended internal or external destinations, exposing low-level confidentiality and integrity impacts. No public exploit identified at time of analysis and no CISA KEV listing; however, SSRF in widely deployed Java frameworks warrants attention in any internet-facing application that processes user-controlled URLs.
Multipart request smuggling in Spring Framework's MVC and WebFlux components exposes applications to HTTP request manipulation via CWE-444. Unauthenticated remote attackers (AV:N/AC:L/PR:N/UI:N per CVSS) can exploit inconsistent multipart boundary parsing to smuggle malformed HTTP requests, achieving low-integrity impact against affected deployments. No public exploit code and no CISA KEV listing have been identified at time of analysis; however, the zero-prerequisite attack profile and broad version coverage across four major Spring branches (5.3.x, 6.1.x, 6.2.x, 7.0.x) make this relevant to any Java shop running Spring MVC or WebFlux with multipart upload handling enabled.
Spring Expression Language (SpEL) evaluation logic in Spring Framework 5.3.x through 7.0.x fails to enforce method invocation restrictions in read-only or restricted contexts, allowing remote unauthenticated attackers (CVSS PR:N, AV:N) to invoke arbitrary zero-argument methods and trigger unintended application logic. Scored LOW (3.7) with only availability impact per CVSS (A:L), though the 'Authentication Bypass' tag and CWE-863 (Incorrect Authorization) suggest the authorization bypass itself may have broader implications not fully reflected in the score. No public exploit identified at time of analysis and no CISA KEV listing, but the wide version range across four active Spring Framework release trains represents significant ecosystem exposure.
Denial of service in VMware's Spring Framework (versions 5.3.0-5.3.48, 6.1.0-6.1.27, 6.2.0-6.2.18, and 7.0.0-7.0.7) lets remote attackers exhaust memory in applications that evaluate user-supplied Spring Expression Language (SpEL) expressions, where crafted expressions trigger unbounded internal cache growth. No authentication or user interaction is required per the CVSS vector (PR:N/UI:N), and the impact is availability-only (C:N/I:N/A:H). There is no public exploit identified at time of analysis, and the EPSS probability is very low (0.01%, 2nd percentile), though CISA's SSVC framework flags the issue as automatable.
Algorithmic denial of service in Spring Framework SpEL evaluation allows remote unauthenticated attackers to exhaust CPU/memory resources by submitting specially crafted Spring Expression Language expressions, degrading or crashing affected applications. Impacts Spring Framework 5.3.x through 7.0.x in any application that evaluates user-supplied SpEL. No public exploit identified at time of analysis, and the CVSS 7.5 score reflects high availability impact with no confidentiality or integrity compromise.
Denial of service in Spring Framework 5.3.0 through 5.3.48 allows remote unauthenticated attackers to exhaust server resources by submitting crafted Spring Expression Language (SpEL) expressions that trigger an integer overflow during evaluation. The CVSS 7.5 score reflects high availability impact with no confidentiality or integrity loss, and no public exploit identified at time of analysis. Applications that evaluate untrusted SpEL input are at greatest risk.
Denial of service in Spring Framework's AntPathMatcher allows remote unauthenticated attackers to exhaust CPU resources via Regular Expression Denial of Service (ReDoS) when attacker-controlled patterns are passed to match(), matchStart(), or extractUriTemplateVariables(). Affects Spring Framework 5.3.0-5.3.48, 6.1.0-6.1.27, 6.2.0-6.2.18, and 7.0.0-7.0.7. No public exploit identified at time of analysis, EPSS is very low (0.01%, 2nd percentile), and SSVC indicates no observed exploitation.
Security bypass in Spring WebFlux's Kotlin Router DSL (CWE-284: Improper Access Control) allows remote unauthenticated attackers to circumvent access control rules in Spring Framework 5.3.0 through 5.3.48. The CVSS vector (AV:N/AC:H/PR:N/UI:N) indicates network-reachable exploitation without authentication, though high attack complexity constrains opportunistic exploitation. No public exploit identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Cross-site scripting (XSS) in Spring Framework's MVC JSP form tags allows unauthenticated remote attackers to inject arbitrary HTML or JavaScript into rendered pages by supplying malicious values through the cssClass, cssErrorClass, or cssStyle tag attributes. Applications across four active Spring Framework release lines (5.3.x through 7.0.x) are affected when they pass user-controlled input directly into these tag attributes. No public exploit code has been identified at time of analysis, and CISA has not listed this CVE in the Known Exploited Vulnerabilities catalog, but the broad installed base of Spring MVC in enterprise Java environments and the high confidentiality impact (session hijacking, credential theft) warrant prompt patching.
Cross-site scripting in Spring Framework versions 5.3.0-5.3.48, 6.1.0-6.1.27, 6.2.0-6.2.18, and 7.0.0-7.0.7 allows remote attackers to inject JavaScript into victim browsers when applications rely on JavaScriptUtils.javaScriptEscape() for output encoding. The flaw stems from incomplete escaping in this utility method, and successful exploitation requires user interaction (UI:R) such as visiting a crafted page. No public exploit has been identified at time of analysis and the issue is not in CISA KEV.
Open redirect in Spring Framework (Spring MVC and Spring WebFlux) across four major version branches enables unauthenticated remote attackers to craft URLs that cause the application to issue a 302 HTTP redirect to an arbitrary attacker-controlled external host. The vulnerability is conditionally exploitable - requiring a catch-all wildcard route mapping without an explicit view name - and demands user interaction to trigger. CVSS rates this 4.2 Medium (AV:N/AC:H/PR:N/UI:R); no public exploit code or CISA KEV listing has been identified at time of analysis.
Path traversal in Spring Framework's static resource resolution exposes arbitrary server files to unauthenticated remote attackers across both Spring MVC and Spring WebFlux stacks. Four major release lines - 5.3.x, 6.1.x, 6.2.x, and 7.0.x - are affected, making this a broad-surface issue for the Java ecosystem. The CVSS vector confirms unauthenticated network access with high confidentiality impact, though the AC:H designation indicates non-trivial exploit conditions; no public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV.
Denial of service in Spring Framework's Spring MVC and WebFlux static resource resolution allows remote unauthenticated attackers to exhaust application resources, affecting versions 5.3.0-5.3.48, 6.1.0-6.1.27, 6.2.0-6.2.18, and 7.0.0-7.0.7. The CVSS 7.5 score reflects high-impact availability damage over the network with no privileges or user interaction, and at time of analysis no public exploit identified at time of analysis. The flaw was reported by VMware (Spring's maintainer) and is tracked under the official Spring Security advisory.
Information disclosure in Spring Framework's static resource resolution affects Spring MVC and WebFlux applications across four active release lines (5.3.x, 6.1.x, 6.2.x, and 7.0.x). Unauthenticated remote attackers exploiting this flaw can access sensitive cached content served through the static resource handling pipeline, achieving high confidentiality impact. No public exploit code or CISA KEV listing has been identified at time of analysis, and the AC:H vector indicates exploitation requires specific conditions beyond default network access.
Denial of Service in Spring WebFlux's multipart request processing allows unauthenticated remote attackers to exhaust server resources across all supported Spring Framework branches. Affects Spring Framework 5.3.x through 7.0.x when applications use the reactive WebFlux stack and expose endpoints that accept multipart data. No public exploit code has been identified at time of analysis, and CISA KEV listing is absent, but the network-reachable, zero-privilege attack surface warrants prompt patching for internet-facing WebFlux deployments.
Session fixation in Spring Framework's WebFlux reactive stack (versions 5.3.x through 7.0.x) enables a remote attacker to hijack an authenticated user's session by leveraging a compromised subdomain - typically via cross-site scripting - to plant a known session ID and exchange it for the victim's authenticated session post-login. The attack is classified as CWE-384 and requires both a prior subdomain compromise and user interaction, placing real-world exploitability well below the headline concern for most deployments. No public exploit code and no CISA KEV listing have been identified at time of analysis.
Predictable WebSocket session IDs in Spring Framework's spring-websocket module allow remote attackers to guess or forge session identifiers and, when paired with weak authorization rules, hijack or interact with other users' WebSocket sessions. The flaw affects Spring Framework 5.3.x, 6.1.x, 6.2.x, and 7.0.x prior to patched releases; no public exploit identified at time of analysis and EPSS is very low (0.03%).
Authentication bypass in Spring LDAP's DirContextAuthenticationStrategy allows remote unauthenticated attackers to succeed at LDAP bind operations by supplying any non-empty username paired with an empty or null password, due to the framework failing to reject such anonymous-equivalent bind requests. Affected releases span Spring LDAP 2.4.0-2.4.4, 3.2.0-3.2.17, 3.3.0-3.3.7, and 4.0.0-4.0.3, putting Java applications that delegate authentication to these libraries at risk of impersonating arbitrary users. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Stateful retry cache exhaustion in Spring Retry 1.3.0-1.3.4 and 2.0.0-2.0.12 allows an unauthenticated remote attacker to permanently disable all retry and circuit breaker logic application-wide by flooding the service with uniquely crafted failure-triggering requests until the bounded cache is saturated. Once exhausted, the cache enters a terminal rejection state that persists until the application is restarted - making this a durable, high-impact denial-of-service condition against Java services relying on Spring Retry for resilience. No public exploit has been identified at time of analysis, and CISA KEV listing is absent, but the network-accessible unauthenticated attack surface makes this relevant to any internet-facing Spring application using stateful retry patterns.
Unauthenticated remote access to the Source Connection Test endpoint in DTStack Taier up to 1.4.0 is possible because the `preHandle` method in `LoginInterceptor.java` does not invoke `tokenService.decryption(token)`, allowing any network-reachable caller to bypass authentication entirely. The same patch commit reveals that `ConnFactory.getSimpleConn()` also lacked JDBC URL sanitization, meaning an unauthenticated attacker could supply dangerous parameters such as `autoDeserialize` or `allowLoadLocalInfile` to a malicious MySQL-compatible server, elevating the real-world impact well above the assigned CVSS 5.5 Medium rating. Publicly available exploit code exists (CVSS E:P confirmed); no CISA KEV listing is confirmed at time of analysis.
Reflected cross-site scripting in SAP NetWeaver JAVA's JDBC Test Servlet enables unauthenticated remote attackers to craft malicious URLs that execute arbitrary JavaScript in a victim's browser upon interaction. The Changed Scope (S:C) in the CVSS vector indicates the injected script can affect browser context beyond the vulnerable origin, enabling session theft, credential harvesting, or unauthorized modification of webclient data. No public exploit code has been identified at time of analysis, and this vulnerability has not been listed in the CISA KEV catalog.
Path traversal in SAP NetWeaver Application Server Java's Web Container allows unauthenticated remote attackers to manipulate file inclusion parameters within crafted HTTP logon requests, leading to inclusion and processing of arbitrary local files. Successful exploitation can expose or modify sensitive data and render portions of the server unavailable, with no public exploit identified at time of analysis but a CVSS of 9.0 reflecting full CIA impact with scope change.
DNS cache poisoning in Netty's resolver component (io.netty:netty-resolver-dns) enables remote unauthenticated attackers to redirect downstream application traffic to attacker-controlled IPs through a Kaminsky-style spoofing attack. The vulnerability combines two compounding weaknesses present in the default configuration: DNS transaction IDs shuffled with a mathematically predictable Linear Congruential Generator (ThreadLocalRandom), and a static UDP source port resulting from the default ChannelPerResolver channel strategy. No public exploit has been identified at time of analysis and the issue is not listed in CISA KEV, but the Netty project rated it high severity and released fixes in versions 4.1.135.Final and 4.2.15.Final.
File descriptor exhaustion in Netty's Unix domain socket native transport allows a local peer to leak two file descriptors per crafted SCM_RIGHTS message into the receiving process, with neither FD ever closed. Affected are applications explicitly configured with DomainSocketReadMode.FILE_DESCRIPTORS on Epoll or KQueue DomainSocketChannel - a non-default opt-in setting. Sustained message flooding by a local socket peer can exhaust the Netty process's file descriptor table, ultimately causing denial of service. No public exploit identified at time of analysis and not listed in CISA KEV; CVSS scores this at 4.0 (Low) reflecting the local-only attack surface and low availability impact.
Improper authorization in Mohammed-eid35's bank-management-system-springboot exposes the Transaction Endpoint to low-privileged authenticated remote attackers, enabling unauthorized access to or manipulation of financial transaction records belonging to other users. All versions up to commit 7b9bcc65ad7df3db29af71aed9bb500e5f24d948 are affected, with publicly available exploit code disclosed via GitHub issue #8. No patch has been released - the maintainer has not responded to the responsible disclosure report - making this an unresolved risk for any organization running this application.
Open redirect in JeecgBoot's ThirdLoginController (versions 3.9.0-3.9.2) allows remote attackers to manipulate the OAuth `state` parameter and redirect victims to attacker-controlled URLs via the third-party login flow. The vendor's own assessment confirms low real-world exploitability: successful exploitation requires social engineering to induce victims into clicking a crafted OAuth login link, and the affected third-party login feature (DingTalk, WeChat) is optional and likely disabled in most deployments. Publicly available exploit code exists, but no KEV listing indicates active exploitation campaigns at time of analysis.
Open redirect in hs-web hsweb-framework's OAuth2Client component (versions up to 5.0.1) allows remote unauthenticated attackers to redirect victims to attacker-controlled URLs by supplying a crafted redirect_uri during OAuth2 authorization flows. The root cause is a naive prefix-based string comparison using startsWith() in OAuth2Client.java, which trivially allows bypass via domain-prefix spoofing (e.g., registering https://app.example.com.attacker.com when the legitimate URI is https://app.example.com). Publicly available exploit code exists per GitHub issue #354 and CVSS E:P; no public exploit identified at time of analysis in CISA KEV, and the CVSS 4.0 score of 2.1 reflects the limited impact and required user interaction.
Server-side request forgery in jishenghua jshERP up to version 3.6 allows a remote, highly-privileged attacker to manipulate the 'platformValue' argument of the platformConfig Add Endpoint, causing the server to issue forged HTTP requests to internal or external targets. The CVSS 4.0 base score of 2.0 reflects the high privilege requirement (PR:H), but exploitation is simplified by low complexity and no user interaction. A publicly available exploit exists (E:P confirmed in CVSS vector), and the project maintainer has not responded to the responsible disclosure issue filed on GitHub.
Path traversal in hsweb-framework up to version 5.0.1 allows authenticated remote attackers to write files outside the intended upload directory by manipulating the filename argument in the file upload component. The root cause is insufficient sanitization of path sequences — including URL-encoded variants (`..%2F`) and Windows-style backslashes (`..\`) — in the `denied` function of `FileUploadProperties.java`. A public exploit has been disclosed via GitHub issue #344, and a patch commit is available; no KEV listing indicates opportunistic rather than confirmed mass exploitation.
Path traversal in jishenghua jshERP up to version 3.6 allows authenticated remote attackers to manipulate the `fileName` argument at the `addAccountHeadAndDetail` endpoint, producing limited but confirmed integrity and availability impacts (I:L/A:L). The vulnerability is in `AccountHeadService.java` within the Java ERP application, and a proof-of-concept exploit has been publicly disclosed via the project's GitHub issue tracker. The vendor had not responded to the responsible disclosure at time of reporting, and no patch is available.
Information disclosure in JeecgBoot up to 3.9.2 allows authenticated remote attackers to extract password salt values by manipulating the `salt` argument in the `queryPageList` function of the User List Endpoint (`SysUserController.java`). While the CVSS score is low (3.1) due to high attack complexity and a low-privilege authentication requirement, a publicly available proof-of-concept (GitHub issue #9648) exists and no vendor patch has been released - only one planned for a future version. Exposure of salt values is particularly sensitive as it can facilitate offline password hash cracking if hashes are separately obtained.
Truncation of chunked Oblivious HTTP (OHTTP) streams in netty-incubator-codec-ohttp prior to 0.0.22.Final silently passes partial, cryptographically-incomplete messages to the receiving application with no decryption error or exception. An on-path adversary - the OHTTP relay itself or a MITM on the relay↔gateway or relay↔client transport - can cut a legitimate chunked-OHTTP message at any non-final chunk boundary and cleanly close the outer HTTP body, bypassing the cryptographic integrity guarantee the final-chunk marker is designed to provide. No public exploit is identified (CVSS E:U) and no CISA KEV listing exists, but the integrity impact is rated High (VI:H) given that receivers silently accept and may act on structurally incomplete messages.
Incorrect native memory address resolution in Netty's Oblivious HTTP (OHTTP) BoringSSL JNI bridge allows unauthenticated remote attackers to corrupt memory belonging to concurrent connections and disclose the contents of adjacent pooled direct buffers - including HPKE encryption key material - on affected OHTTP gateways. The flaw exists in versions prior to 0.0.22.Final of netty-incubator-codec-ohttp and is only reachable when the JVM is configured to deny `sun.misc.Unsafe` access, causing the vulnerable fallback address-resolution path to activate. This directly undermines the confidentiality guarantees Oblivious HTTP is designed to provide; no public exploit code exists and the vulnerability is not listed in the CISA KEV catalog (CVSS 4.0 E:U).
Unsafe deserialization in Apache Fory fory-core Java SDK versions prior to 1.1.0 allows remote attackers to bypass the framework's class registration, TypeChecker, and DisallowedList security controls on Java/JVM platforms. By crafting malicious Fory-serialized payloads that exercise the replace-resolve path, an attacker can invoke arbitrary readResolve/readExternal hooks on any class present on the classpath, enabling gadget-chain abuse without authentication. No public exploit identified at time of analysis, but the CVSS 9.1 score and CWE-502 classification reflect the high impact typical of Java deserialization sinks.
Server-side request forgery in crmeb_java 1.4 allows remote unauthenticated attackers to manipulate the base64 Qrcode endpoint's url parameter, causing the server to issue arbitrary outbound HTTP requests via Spring's RestTemplate.getForEntity. The affected component (RestTemplateUtil.java) passes attacker-controlled input directly to the HTTP client without URL validation or allowlisting, enabling internal network reconnaissance, cloud metadata service probing, and potential lateral movement. A public exploit has been disclosed via GitHub issue #35; no vendor patch exists as the project has not responded to the responsible disclosure report.
Sandbox escape in alf.io ticket reservation system prior to version 2.0-M5-2606 allows an authenticated administrator to break out of the Rhino JavaScript extension engine and execute arbitrary OS commands on the host. The flaw stems from an unguarded injected `returnClass` Java object combined with an incomplete AST blocklist, enabling reflection-based escape without triggering validation. No public exploit identified at time of analysis, but the vendor advisory (GHSA-3w8f-mcf6-cm7h) confirms the issue and a patched release is available.
Stored cross-site scripting in CordysCRM (1Panel-dev, versions up to 1.4.1) allows an authenticated remote attacker to inject malicious scripts via the unvalidated Description parameter in the ModuleFormController's Save function. The payload persists to the database and executes in any victim's browser upon viewing the affected module form, enabling session hijacking, credential theft, or UI-based phishing. A publicly available proof-of-concept exists (GitHub issue #2233); no public exploitation at scale has been confirmed, and an official vendor patch is available as of v1.7.0.
Command injection in elunez eladmin's Application Deployment Module (App.java) allows authenticated remote attackers with low privileges to execute arbitrary operating system commands by manipulating the `uploadPath` argument. All versions up to and including 2.7 are affected per the CPE record. A public proof-of-concept exploit exists (referenced via GitHub issue #899), though no public exploit identified at time of analysis as confirmed active exploitation (CISA KEV). The vendor has not responded to the coordinated disclosure, leaving no official patch available.
Cross-site scripting in 1Panel-dev CordysCRM versions up to 1.6.2 allows a high-privileged authenticated attacker to inject unescaped HTML payloads through request parameters processed by the Jackson string deserializer in RequestParamTrimConfig.java. The root cause is a global XSS escape toggle (xss.escape.all.enabled) that was disabled by default, meaning all incoming string parameters were returned without HTML sanitization. Publicly available exploit code exists (CVSS E:P, confirmed by VulDB disclosure), though the vulnerability has not been listed in CISA KEV and real-world impact is constrained by the high privilege requirement and passive user interaction dependency.
Cross-site scripting in westboy CicadasCMS Task Scheduling Management Module allows a high-privileged, authenticated attacker to inject malicious script payloads via the ScheduleJobController component that execute in a victim user's browser upon viewing the affected page. The vulnerability carries a CVSS base score of just 2.4, reflecting the steep access barriers of required high privileges (PR:H) and mandatory user interaction (UI:R), though a publicly available proof-of-concept exploit exists on the Gitee issue tracker. No active exploitation has been confirmed by CISA KEV, and the vendor has not responded to the responsible disclosure report, meaning no patch is available at time of analysis.
Lockdown mode bypass in Google Android exposes protected information via a logic error in KeyguardViewMediator.java that allows screen pinning to circumvent lockdown protections. Affected versions span Android 14, 15, 16, and 16-qpr2, with exploitation requiring only local low-privileged access and no user interaction. No public exploit has been identified at time of analysis, and the CVSS score of 3.3 reflects a limited-scope, local-only confidentiality impact.
Denial-of-service in Spring Cloud Sleuth 3.1.0 through 3.1.13 allows remote unauthenticated attackers to exhaust application availability by sending specially crafted calls processed by the spring-cloud-sleuth-instrumentation library when Spring TX (transaction) instrumentation is enabled. The flaw is network-reachable with low attack complexity and no user interaction (CVSS 7.5, AV:N/AC:L/PR:N), but there is no public exploit identified at time of analysis and no CISA KEV listing. Impact is limited to availability - no confidentiality or integrity compromise is possible.
NoSQL/query injection in Spring AI Vector Stores (1.0.0-1.0.8 and 1.1.0-1.1.7) allows remote unauthenticated attackers to inject special characters into vector-store inputs and force execution of arbitrary queries against Elasticsearch, OpenSearch, and GemFire VectorDB backends. The flaw resides in the spring-ai-elasticsearch-store, spring-ai-opensearch-store, and spring-ai-gemfire-store components, enabling information disclosure and limited integrity/availability impact against any application embedding Spring AI's vector-store abstraction. No public exploit identified at time of analysis, but the CVSS 8.6 (scope unchanged here, network vector, no privileges) makes this a high-priority patch for any Spring AI deployment ingesting untrusted text.
Improper access control in File Browser (filebrowser/filebrowser, Go) versions <= 2.63.6 lets a user with share/download permissions create a public share for a path that does not yet exist; because the share record stores only a path string and is never bound to a concrete object, the link silently begins exposing whatever file later appears at that path via GET /api/public/dl/<hash>. The flaw mirrors the Android MediaProvider issue CVE-2026-0035 — the create handler omits an existence check before persisting the share. EPSS is very low (0.02%, 6th percentile) and there is no public exploit identified at time of analysis, but a step-by-step PoC is included in the GitHub Security Advisory.
PingDirectory's virtual attribute processing exposes an authenticated denial-of-service path capable of exhausting the Java heap, with cascading availability, confidentiality, and integrity impacts on all downstream identity-dependent systems. Authorized users with elevated directory privileges can trigger progressive, unreclaimed heap allocation by copying virtual attributes referencing `ds-privilege-name` values while recent login history is active. The vendor-assigned CVSS 4.0 score of 6.3 (Amber urgency) masks notably high subsequent-system impact ratings (SC:H/SI:H/SA:H), reflecting that the real organizational risk lies not in PingDirectory itself but in the authentication and authorization disruption cascading to every application integrated with the directory; no public exploit code or CISA KEV listing has been identified at time of analysis.
Authorization bypass in Spring for GraphQL (versions 1.0.0-1.0.6, 1.3.0-1.3.8, 1.4.0-1.4.5, and 2.0.0-2.0.3) allows remote attackers to invoke @Controller data fetcher methods whose security annotations are declared on parent classes or interfaces, because the framework's annotation detection does not consistently resolve annotations across type hierarchies. The flaw is rated CVSS 7.5 (confidentiality-only impact) and no public exploit identified at time of analysis, but the network-reachable, no-privilege CVSS vector makes any affected GraphQL endpoint a meaningful exposure.
Cross-Site WebSocket Hijacking in Spring for GraphQL allows remote attackers to execute arbitrary GraphQL operations under an authenticated victim's identity when the application has enabled the GraphQL WebSocket transport. The flaw stems from missing origin validation on WebSocket handshakes (CWE-346), affecting Spring for GraphQL 1.0.x, 1.3.x, 1.4.x, and 2.0.x branches up to 2.0.3. No public exploit identified at time of analysis, but the high CVSS (8.1) and reliance only on a single victim click make this a meaningful risk for any deployment exposing the WebSocket endpoint.
Remote code execution in Spring for GraphQL versions 1.3.0-1.3.8, 1.4.0-1.4.5, and 2.0.0-2.0.3 allows unauthenticated attackers to trigger unsafe deserialization by sending crafted paginated GraphQL queries against Connection-type fields. Exploitation requires that the application expose a paginated (Connection) field and that the classpath contains gadget classes leveraged during deserialization. No public exploit identified at time of analysis; EPSS sits at 0.34% (57th percentile) and the issue is not in CISA KEV, but a vendor patch is available.
Insecure temporary file handling in Spring Boot's ArtemisEmbeddedConfigurationFactory allows a local, low-privileged attacker on the same host to hijack the embedded Apache ActiveMQ Artemis broker's data directory before the application starts. By pre-creating the predictable static path or placing a symlink at that location, the attacker can redirect broker persistence writes - including application messages, journal files, and bindings - to an attacker-controlled filesystem location, yielding partial confidentiality, integrity, and availability impact. No public exploit has been identified at time of analysis, but the vulnerability spans five active Spring Boot release trains (2.7.x through 4.0.x), broadening aggregate exposure.
Replay attack protections in Spring Web Services are silently ineffective across multiple major branches due to Wss4jSecurityInterceptor failing to wire configured Apache WSS4J ReplayCache instances into the RequestData object at validation time. Operators who believe UsernameToken nonce replay, Timestamp replay, and SAML one-time-use checks are enforced are unknowingly running without those controls. A network-positioned attacker can intercept and replay valid WS-Security tokens - including credentials and SAML assertions - to re-execute previously-authorized SOAP operations, with no public exploit identified at time of analysis and no CISA KEV listing.
Server-Side Request Forgery in Spring Web Services (versions 3.1.0-3.1.8, 4.0.0-4.0.18, 4.1.0-4.1.3, and 5.0.0-5.0.1) allows remote unauthenticated attackers to coerce the server into initiating outbound HTTP connections to attacker-controlled or internal destinations by abusing WS-Addressing ReplyTo/FaultTo headers. The flaw stems from WebServiceMessageSender instances dispatching to destinations taken directly from SOAP request headers without validating that the targets are safe. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
XML External Entity (XXE) exposure in Spring Web Services' Jaxp13XPathTemplate allows remote attackers to abuse XPath evaluation over StreamSource and SAXSource inputs because the underlying parser falls back to the JDK's default DocumentBuilderFactory rather than Spring's hardened configuration. Affected versions span the 3.1.x, 4.0.x, 4.1.x and 5.0.x release lines, and while no public exploit was identified at time of analysis, the CVSS 8.2 vector (AV:N/AC:L/PR:N/UI:N) indicates that any service that feeds untrusted XML through this template can be reached by unauthenticated remote attackers. The flaw was reported by VMware/Spring and is tracked in the official Spring security advisory.
Information disclosure in Spring Web Services (Spring-WS) exposes account lifecycle state - such as locked, disabled, or expired status - to remote unauthenticated SOAP clients through verbose exception messages or callback outcomes during authentication processing. Affected are four actively maintained branches (3.1.x through 5.0.x) when the SOAP layer is integrated with Spring Security; the root cause is CWE-209, where error handling fails to normalize Spring Security's typed account-state exceptions into generic authentication failures. No public exploit code and no CISA KEV listing have been identified at time of analysis; however, the CVSS 5.3 (Medium) rating reflects genuine reconnaissance utility for account enumeration against exposed SOAP endpoints.
Spring Web Services' Wss4jSecurityInterceptor silently defaults allowRSA15KeyTransportAlgorithm to true, overriding Apache WSS4J's own safer default and permitting inbound WS-Security decryption to accept the weak RSA PKCS#1 v1.5 (rsa-1_5) key transport algorithm. This misconfiguration-by-default affects all four supported release trains (3.1.x, 4.0.x, 4.1.x, 5.0.x) and opens deployed SOAP services to Bleichenbacher-style adaptive chosen-ciphertext attacks against server-side RSA key material unless operators explicitly override the flag. No public exploit has been identified at time of analysis, and the CVSS-assigned high attack complexity (AC:H) reflects the significant number of oracle queries required to mount a practical attack.
X509AuthenticationProvider in Spring Web Services issues fully authenticated tokens from client certificates without enforcing Spring Security's account lifecycle checks, meaning disabled, locked, expired, or credentials-expired accounts can successfully authenticate. This affects all maintained release branches from 3.1.0 through 5.0.1 and was reported by VMware, the Spring project maintainer. No public exploit or CISA KEV listing has been identified at time of analysis, but the bypass is meaningful in environments that rely on account-disablement as the primary deprovisioning control rather than certificate revocation.
Insecure default initialization in Spring Web Services' Wss4jSecurityInterceptor disables WSS4J BSP (WS-I Basic Security Profile) enforcement on inbound RequestData, allowing remote attackers to submit SOAP messages that violate BSP-mandated WS-Security rules. Affected versions span 3.1.0-3.1.8, 4.0.0-4.0.18, 4.1.0-4.1.3, and 5.0.0-5.0.1, with no public exploit identified at time of analysis. The CVSS 8.2 score reflects high integrity impact because protocol-level cryptographic checks expected by downstream consumers are silently weakened.
Spring Boot's Mail auto-configuration omits hostname verification for SMTP over TLS/SSL, leaving applications exposed to man-in-the-middle interception of outbound email traffic on adjacent network segments. Three active release lines are affected - 3.4.x through 3.4.16, 3.5.x through 3.5.14, and 4.0.x through 4.0.6 - unless the deploying application has explicitly set the JavaMail property spring.mail.properties.mail.smtp.ssl.checkserveridentity=true to override the insecure default. No public exploit has been identified at time of analysis, but the flaw is present by default in any Spring Boot application that uses the built-in Mail auto-configuration with TLS/SSL and has not applied the corrective property.
Path traversal in Spring Integration's FTP/SFTP/SMB inbound adapters allows a malicious or compromised remote file server to write attacker-controlled files outside the configured local directory on any client polling it, affecting versions 5.5.0-5.5.20, 6.3.0-6.3.14, 6.4.0-6.4.11, 6.5.0-6.5.8, and 7.0.0-7.0.4. The flaw inverts the usual trust model - the file-transfer client trusts the server's filename, enabling overwrite of arbitrary host files such as configuration, cron, or application JARs, which can escalate to code execution. No public exploit identified at time of analysis, but the issue is straightforward to weaponize once a hostile server endpoint is reachable.
Reflected XSS in Spring Web Flow's JavaScript RemotingHandler allows an authenticated attacker to inject and execute arbitrary scripts in a victim's browser by embedding malicious content in input that the server reflects within error response bodies. The RemotingHandler renders these error bodies as HTML regardless of the declared Content-Type, bypassing MIME-type enforcement. Affected versions span the 2.5.x, 3.0.x, and 4.0.0 release lines; no public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV.
Expression Language Injection in Spring Web Flow exposes applications explicitly configured with WebFlowELExpressionParser to evaluation of malicious Unified EL expressions submitted by authenticated low-privilege users. Affected versions span the 2.5.x, 3.0.x, and 4.0.0 release lines; exploitation requires both non-default configuration and user interaction, which meaningfully constrains real-world risk despite the High confidentiality and integrity impact ratings. No public exploit code and no CISA KEV listing have been identified at time of analysis.
Authentication bypass via X.509 certificate impersonation in Spring Security affects versions 5.7.0-5.7.24, 5.8.0-5.8.26, 6.3.0-6.3.17, 6.4.0-6.4.17, and 6.5.0-6.5.10, where the SubjectDnX509PrincipalExtractor mishandles malformed Common Name (CN) values and resolves the principal to the wrong identity. An attacker holding a carefully crafted client certificate can authenticate as a different legitimate user, gaining their privileges. No public exploit identified at time of analysis, and the EPSS score of 0.02% (4th percentile) reflects no observed exploitation activity.
Spring Data REST's Querydsl integration exposes arbitrary persistent entity property paths as request-parameter filter keys without first applying Jackson serialization customizations such as @JsonIgnore or @JsonView, allowing unauthenticated remote attackers to probe and extract values of fields that developers intentionally suppressed from the API surface. All major release trains from 3.7.x through 5.0.x are affected across a broad Spring Boot installation base. No active exploitation has been confirmed (not listed in CISA KEV) and no public exploit code has been identified at time of analysis, though the no-auth, low-complexity network vector makes this straightforward to abuse against misconfigured deployments.
Insecure deserialization in Spring for Apache Pulsar's JsonPulsarHeaderMapper allows remote attackers to bypass trusted-package controls and potentially trigger arbitrary Java object instantiation through Pulsar message headers. The flaw stems from a prefix-based package match plus an unsafe empty-allow-list default, affecting versions 1.1.0-1.1.17, 1.2.0-1.2.17, and 2.0.0-2.0.5. No public exploit identified at time of analysis, but the CVSS 8.1 rating and CWE-502 classification place this firmly in the high-impact Java deserialization category that has historically yielded remote code execution.
Unsafe deserialization in Spring for Apache Kafka (versions 2.8.0-4.0.5 across multiple branches) allows a malicious Kafka producer to send crafted message headers that cause downstream consumers to instantiate arbitrary JDK types via Jackson. The flaw stems from a prefix-based trusted-packages check in JsonKafkaHeaderMapper and the deprecated DefaultKafkaHeaderMapper, which silently extends trust to every subpackage. No public exploit identified at time of analysis, but the bug class (CWE-502 with Jackson default typing) has a long history of leading to remote code execution in Spring/Java ecosystems.
Spring Data REST leaks persistence-layer internals - including database schema details, Hibernate/JPA exception messages, and query structures - by serializing the full exception cause chain directly into HTTP error response bodies. All five active release lines are affected (3.7.x, 4.3.x, 4.4.x, 4.5.x, and 5.0.x), and the CVSS vector confirms unauthenticated remote exploitation against default configurations with no user interaction required. No public exploit code has been identified and the vulnerability is not listed in CISA KEV; however, the zero-friction access conditions make any network-exposed Spring Data REST deployment a realistic target for automated reconnaissance that could enable follow-on, more damaging attacks.
Server-Side Expression Language (SpEL) injection in Spring Data REST allows authenticated remote attackers to execute arbitrary expressions by sending JSON Patch requests targeting Map-typed entity properties. Affected versions span 3.7.0 through 5.0.5, and successful exploitation yields high confidentiality and integrity impact (CVSS 8.1). No public exploit identified at time of analysis, but the low attack complexity and network reachability make this a credible threat to any exposed REST repository accepting application/json-patch+json.
Authorization bypass in Spring Data REST's JSON Patch handler allows remote unauthenticated attackers to modify protected entity fields by routing writes through intermediate path segments of a multi-segment JSON Pointer. The flaw affects Spring Data REST 3.7.x through 5.0.5 and carries a CVSS 7.5 (high) integrity-only impact; no public exploit has been identified at time of analysis and it is not listed in CISA KEV.
Improper input validation in Spring for Apache Kafka's non-blocking retry topic infrastructure allows an authenticated network producer to disrupt message processing availability across multiple major version lines. By injecting a crafted `retry_topic-attempts` header with an out-of-range integer value, an attacker causes the retry topic router to misidentify the message's position in the retry sequence, producing high availability impact (A:H per CVSS). Affected deployments span Spring for Apache Kafka 2.8.x through 4.0.x. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis.
Unbounded heap growth in Spring for Apache Kafka's DelegatingDeserializer allows an authenticated network producer to trigger a Denial of Service against any consumer application that opts into this deserializer. By flooding the consumer with Kafka records carrying unique, randomized spring.kafka.serialization.selector header values, an attacker forces unbounded cache growth on the consumer's JVM heap, ultimately inducing GC thrash and OutOfMemoryError. No public exploit identified at time of analysis, and this is not listed in the CISA KEV catalog, but the low-complexity, network-accessible attack surface warrants prompt remediation for affected deployments.
Uncontrolled resource consumption in Spring Data Commons exposes applications to a remote Denial of Service condition when two specific features are active simultaneously. An unauthenticated remote attacker can send a specially crafted HTTP request to any endpoint backed by a @ProjectedPayload-annotated controller method, triggering unbounded memory allocation that exhausts the JVM heap and crashes the application. The vulnerability spans eight major release lines (2.7.x through 4.0.x), making the potential blast radius broad across Spring-based Java backends. No public exploit code or CISA KEV listing has been identified at time of analysis, and the CVSS attack complexity rating of High reflects non-trivial preconditions that meaningfully limit opportunistic exploitation.
SpEL (Spring Expression Language) injection in Spring Data KeyValue and Spring Data Redis allows a network-accessible, low-privileged attacker to execute arbitrary SpEL expressions when applications pass unsanitized user-controlled Sort parameters directly to repository query methods delegating to SpelPropertyComparator. Affected versions span eight major release lines from 2.7.x through 4.0.x, making the exposure surface broad across Spring-based Java ecosystems. No public exploit identified at time of analysis and no CISA KEV listing, but the high confidentiality impact rating and network attack vector warrant prompt patching for any application that surfaces Sort query parameters to end users.
Remote code execution risk in Spring Data MongoDB arises from a SpEL expression injection flaw (CWE-917) triggered during parameter binding for repository methods annotated with @Query that use a capture-all placeholder. With CVSS 8.1 (AV:N/AC:H/PR:N/UI:N) and no public exploit identified at time of analysis, unauthenticated attackers who can influence query parameters reaching such a method could execute arbitrary SpEL expressions on the server.
Denial-of-service in Spring Data Commons (versions 2.7.0-4.0.5) allows remote unauthenticated attackers to exhaust JVM heap memory by repeatedly submitting unique property-name strings that are permanently retained in an internal property-lookup cache. The flaw maps to CWE-770 (Allocation of Resources Without Limits or Throttling) and carries a CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) reflecting purely availability impact. No public exploit identified at time of analysis and the issue is not currently listed in CISA KEV.
Improper certificate validation in Spring AMQP allows a network-positioned attacker to perform a man-in-the-middle attack against applications that configure broker connections via RabbitConnectionFactoryBean.setUri("amqps://...") without explicitly calling setUseSSL(true). Affected are Spring AMQP versions 2.4.0 through 4.0.3 across four release lines. Although TLS encryption is established, the absence of certificate chain validation and hostname verification means a rogue broker can impersonate the legitimate RabbitMQ instance, exposing message content in transit. No public exploit identified at time of analysis, and this CVE is not listed in CISA KEV.
Denial of Service in Spring Data Commons affects applications that parse Sort parameters, triggering a StackOverflowException via crafted input. All major supported and legacy branches from 2.7.x through 4.0.x are affected, making the blast radius exceptionally broad across the Spring ecosystem. CVSS rates this Medium (5.9) with a high attack complexity qualifier (AC:H), unauthenticated network access (PR:N), and full availability impact (A:H); no active exploitation is confirmed and no public exploit code has been identified at time of analysis.
Open redirect in Spring Security's cookie-based saved-request components allows remote unauthenticated attackers to redirect authenticated users to arbitrary external URLs immediately after a successful login. The CookieRequestCache (servlet stack) and CookieServerRequestCache (reactive/WebFlux stack) store the full pre-authentication URL in a browser cookie and use it without origin validation as the post-login Location target, making this exploitable via a socially engineered link. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, though the S:C scope change and PR:N attack profile make this a meaningful phishing enabler in any Spring Security deployment using cookie-backed saved requests.
Predictable correlation IDs in Spring AMQP's RabbitTemplate.sendAndReceive() expose request-reply messaging to correlation hijacking when a fixed reply queue is configured. Affected are all widely used Spring AMQP branches from 2.4.x through 4.0.x - a broad install base across Java enterprise applications. A network-positioned attacker with high privileges can exploit the sequential counter to predict future correlation IDs, enabling interception or injection of reply messages into the shared fixed reply queue. No public exploit code exists and this vulnerability is not listed in CISA KEV; CVSS 4.4 Medium reflects real-world limitations from high privilege and complexity requirements despite the changed scope indicator.
Boolean-based blind query injection in Spring Data Relational (JDBC and R2DBC) allows remote unauthenticated attackers to infer database contents by supplying wildcard characters to Query By Example (QBE) endpoints using StringMatcher modes STARTING, ENDING, or CONTAINING. The root cause is insufficient escaping of externally-controlled binding values before they reach the underlying query logic. No public exploit or CISA KEV listing has been identified at time of analysis, but the network-accessible, no-authentication-required attack surface makes this a meaningful exposure for any Spring Data application that exposes QBE search functionality.
Regex parameter binding in Spring Data MongoDB's @Query annotation fails to sufficiently quote user-supplied strings, enabling NoSQL injection that can manipulate query semantics. Unauthenticated remote attackers (PR:N, AV:N) who can influence the bound parameter in applications using this pattern may break out of the intended regular expression context to retrieve unintended documents, resulting in high-impact confidentiality compromise. No confirmed active exploitation or public exploit code has been identified at time of analysis; the CVSS Attack Complexity of High reflects a dependency on a specific application-level coding pattern.
Denial of service in Spring Data Commons 3.4.x, 3.5.x, and 4.0.x allows remote unauthenticated attackers to exhaust server resources by supplying crafted property path strings that the MappingContext resolves inefficiently. The flaw is reachable wherever applications expose property path parsing to untrusted input, and with CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) it is trivially triggerable, though no public exploit identified at time of analysis and the issue is not on the CISA KEV list.
Decryption oracle exposure in Spring Security's SAML module allows unauthenticated remote attackers (PR:N, AV:N per CVSS) to submit crafted SAML Responses, LogoutRequests, and LogoutResponses to a Service Provider endpoint and leverage the SP's private key for decryption without presenting a valid XML signature. Affected deployments span Spring Security 5.7.x through 7.0.x that use SAML-based SSO or Single Logout. No public exploit has been identified at time of analysis and EPSS data was not provided, but the attack class (XML encryption oracle) is well-documented in SAML security research and carries meaningful risk in identity-sensitive environments.
Spring Authorization Server's authorization endpoint fails to adequately validate the OAuth2/OIDC `request_uri` parameter, enabling unauthenticated remote attackers to craft authorization requests that bypass redirect URI validation entirely. Affected deployments running Spring Authorization Server 1.5.0-1.5.7 or Spring Security 7.0.0-7.0.5 can be exploited to redirect authenticated users to attacker-controlled destinations, a particularly elevated risk given that victims inherently trust the authorization server's domain during OAuth login flows. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Cross-site scripting in Spring Security's SAML 2.0 relying party support allows an attacker who can influence RelyingPartyRegistration values to inject malicious content into HTML forms generated by Spring Security filters, potentially leading to script execution in a victim's browser. The advisory and tagging characterize this as an XSS issue with possible code-execution implications in the browser context, affecting Spring Security 5.7.x through 7.0.x prior to the fixed maintenance releases. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Insecure deserialization in Spring Security 7.0.0 through 7.0.5 allows an attacker with write access to the saml2_asserting_party_metadata database table to store malicious serialized Java payloads in the verification_credentials or encryption_credentials columns, leading to code execution when the JdbcAssertingPartyMetadataRepository deserializes them. The flaw affects deployments using the JDBC-backed SAML 2.0 asserting-party metadata repository introduced in the Spring Security 7.x line. No public exploit identified at time of analysis and EPSS is very low (0.01%), but CVSS rates impact as High due to full confidentiality, integrity, and availability loss on the application.
XXE injection in Spring REST Docs exposes developer machines and CI runners to file disclosure when documentation-generating tests process responses from a remote API. Versions 4.0.0, 3.0.0-3.0.5, and 2.0.0.RELEASE-2.0.8.RELEASE of the spring-restdocs-webtestclient and spring-restdocs-restassured modules fail to disable XML external entity processing, allowing an attacker who controls the documented API endpoint to serve a malicious XML response. No confirmed active exploitation exists (not in CISA KEV), and no public exploit has been identified at time of analysis; however, the High confidentiality impact against developer and CI environments warrants prompt patching.
Denial of service in Spring Security's SAML 2.0 service provider module allows remote unauthenticated attackers to exhaust application memory by submitting a maliciously compressed SAML payload over the REDIRECT binding. The flaw stems from an unbounded inflater that decompresses attacker-controlled data without size limits, enabling a classic decompression-bomb attack against any Spring application using SAML Login or Logout. No public exploit identified at time of analysis, but the network-reachable, no-authentication CVSS profile (7.5 High) makes this a near-term patching priority for SAML-enabled deployments.
Reflected cross-site scripting in OpenClinic GA 5.351.19's DICOM image upload handler allows unauthenticated remote attackers to execute arbitrary JavaScript in authenticated users' browsers by embedding payloads in DICOM file metadata fields such as Study Description, which are reflected unsanitized through popup.jsp and archiving/uploadfiles_jsp.java. A publicly available proof-of-concept exists, and the researcher's published chain explicitly demonstrates escalation from this XSS primitive to remote code execution, materially elevating the real-world severity beyond the CVSS 5.3 score. No public exploit identified as confirmed actively exploited (CISA KEV) at time of analysis, but the healthcare context and documented RCE chain make this a high-priority finding for any OpenClinic GA deployment.
Memory exhaustion in Spring HATEOAS versions 1.5.0-1.5.6, 2.3.0-2.3.4, 2.4.0-2.4.1, 2.5.0-2.5.2, and 3.0.0-3.0.3 allows remote unauthenticated attackers to cause denial of service by sending requests with attacker-controlled link relation strings that accumulate indefinitely in an unbounded static cache of StringLinkRelation instances. With a CVSS 7.5 (high availability impact) and no public exploit identified at time of analysis, the issue is straightforward to trigger against any internet-facing Spring HATEOAS endpoint that derives link relations from request data. Not listed in CISA KEV.
Denial-of-service via improper access control in Spring HATEOAS affects versions 1.5.0-1.5.6, 2.3.0-2.3.4, 2.4.0-2.4.1, 2.5.0-2.5.2, and 3.0.0-3.0.3, where the internal PropertyUtils.createObjectFromProperties method performs reflection-based bean property binding while ignoring Jackson access-control annotations (@JsonIgnore, @JsonProperty access modes). Remote unauthenticated attackers sending crafted Collection+JSON or UBER media type payloads can bind to properties the developer explicitly marked as inbound-restricted, causing high-availability impact. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Unsafe JSON deserialization in Spring Framework's JMS message converters (MappingJackson2MessageConverter and JacksonJsonMessageConverter) lets an attacker who controls JMS message content instantiate arbitrary classes, enabling gadget-chain attacks that can escalate to unauthorized actions or remote code execution. It affects Spring Framework 5.3.0-5.3.48, 6.1.0-6.1.27, 6.2.0-6.2.18, and 7.0.0-7.0.7 when applications consume messages from an untrusted JMS source. There is no public exploit identified at time of analysis, and despite a 9.8 CVSS the EPSS probability is only 0.04% and CISA SSVC rates exploitation as 'none'.
Server-side request forgery (SSRF) in Spring Framework's UriComponentsBuilder affects applications that use this API to parse and validate externally supplied URL strings. Incorrect host parsing allows a remote, unauthenticated attacker - with user interaction - to cause the application server to issue requests to unintended internal or external destinations, exposing low-level confidentiality and integrity impacts. No public exploit identified at time of analysis and no CISA KEV listing; however, SSRF in widely deployed Java frameworks warrants attention in any internet-facing application that processes user-controlled URLs.
Multipart request smuggling in Spring Framework's MVC and WebFlux components exposes applications to HTTP request manipulation via CWE-444. Unauthenticated remote attackers (AV:N/AC:L/PR:N/UI:N per CVSS) can exploit inconsistent multipart boundary parsing to smuggle malformed HTTP requests, achieving low-integrity impact against affected deployments. No public exploit code and no CISA KEV listing have been identified at time of analysis; however, the zero-prerequisite attack profile and broad version coverage across four major Spring branches (5.3.x, 6.1.x, 6.2.x, 7.0.x) make this relevant to any Java shop running Spring MVC or WebFlux with multipart upload handling enabled.
Spring Expression Language (SpEL) evaluation logic in Spring Framework 5.3.x through 7.0.x fails to enforce method invocation restrictions in read-only or restricted contexts, allowing remote unauthenticated attackers (CVSS PR:N, AV:N) to invoke arbitrary zero-argument methods and trigger unintended application logic. Scored LOW (3.7) with only availability impact per CVSS (A:L), though the 'Authentication Bypass' tag and CWE-863 (Incorrect Authorization) suggest the authorization bypass itself may have broader implications not fully reflected in the score. No public exploit identified at time of analysis and no CISA KEV listing, but the wide version range across four active Spring Framework release trains represents significant ecosystem exposure.
Denial of service in VMware's Spring Framework (versions 5.3.0-5.3.48, 6.1.0-6.1.27, 6.2.0-6.2.18, and 7.0.0-7.0.7) lets remote attackers exhaust memory in applications that evaluate user-supplied Spring Expression Language (SpEL) expressions, where crafted expressions trigger unbounded internal cache growth. No authentication or user interaction is required per the CVSS vector (PR:N/UI:N), and the impact is availability-only (C:N/I:N/A:H). There is no public exploit identified at time of analysis, and the EPSS probability is very low (0.01%, 2nd percentile), though CISA's SSVC framework flags the issue as automatable.
Algorithmic denial of service in Spring Framework SpEL evaluation allows remote unauthenticated attackers to exhaust CPU/memory resources by submitting specially crafted Spring Expression Language expressions, degrading or crashing affected applications. Impacts Spring Framework 5.3.x through 7.0.x in any application that evaluates user-supplied SpEL. No public exploit identified at time of analysis, and the CVSS 7.5 score reflects high availability impact with no confidentiality or integrity compromise.
Denial of service in Spring Framework 5.3.0 through 5.3.48 allows remote unauthenticated attackers to exhaust server resources by submitting crafted Spring Expression Language (SpEL) expressions that trigger an integer overflow during evaluation. The CVSS 7.5 score reflects high availability impact with no confidentiality or integrity loss, and no public exploit identified at time of analysis. Applications that evaluate untrusted SpEL input are at greatest risk.
Denial of service in Spring Framework's AntPathMatcher allows remote unauthenticated attackers to exhaust CPU resources via Regular Expression Denial of Service (ReDoS) when attacker-controlled patterns are passed to match(), matchStart(), or extractUriTemplateVariables(). Affects Spring Framework 5.3.0-5.3.48, 6.1.0-6.1.27, 6.2.0-6.2.18, and 7.0.0-7.0.7. No public exploit identified at time of analysis, EPSS is very low (0.01%, 2nd percentile), and SSVC indicates no observed exploitation.
Security bypass in Spring WebFlux's Kotlin Router DSL (CWE-284: Improper Access Control) allows remote unauthenticated attackers to circumvent access control rules in Spring Framework 5.3.0 through 5.3.48. The CVSS vector (AV:N/AC:H/PR:N/UI:N) indicates network-reachable exploitation without authentication, though high attack complexity constrains opportunistic exploitation. No public exploit identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Cross-site scripting (XSS) in Spring Framework's MVC JSP form tags allows unauthenticated remote attackers to inject arbitrary HTML or JavaScript into rendered pages by supplying malicious values through the cssClass, cssErrorClass, or cssStyle tag attributes. Applications across four active Spring Framework release lines (5.3.x through 7.0.x) are affected when they pass user-controlled input directly into these tag attributes. No public exploit code has been identified at time of analysis, and CISA has not listed this CVE in the Known Exploited Vulnerabilities catalog, but the broad installed base of Spring MVC in enterprise Java environments and the high confidentiality impact (session hijacking, credential theft) warrant prompt patching.
Cross-site scripting in Spring Framework versions 5.3.0-5.3.48, 6.1.0-6.1.27, 6.2.0-6.2.18, and 7.0.0-7.0.7 allows remote attackers to inject JavaScript into victim browsers when applications rely on JavaScriptUtils.javaScriptEscape() for output encoding. The flaw stems from incomplete escaping in this utility method, and successful exploitation requires user interaction (UI:R) such as visiting a crafted page. No public exploit has been identified at time of analysis and the issue is not in CISA KEV.
Open redirect in Spring Framework (Spring MVC and Spring WebFlux) across four major version branches enables unauthenticated remote attackers to craft URLs that cause the application to issue a 302 HTTP redirect to an arbitrary attacker-controlled external host. The vulnerability is conditionally exploitable - requiring a catch-all wildcard route mapping without an explicit view name - and demands user interaction to trigger. CVSS rates this 4.2 Medium (AV:N/AC:H/PR:N/UI:R); no public exploit code or CISA KEV listing has been identified at time of analysis.
Path traversal in Spring Framework's static resource resolution exposes arbitrary server files to unauthenticated remote attackers across both Spring MVC and Spring WebFlux stacks. Four major release lines - 5.3.x, 6.1.x, 6.2.x, and 7.0.x - are affected, making this a broad-surface issue for the Java ecosystem. The CVSS vector confirms unauthenticated network access with high confidentiality impact, though the AC:H designation indicates non-trivial exploit conditions; no public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV.
Denial of service in Spring Framework's Spring MVC and WebFlux static resource resolution allows remote unauthenticated attackers to exhaust application resources, affecting versions 5.3.0-5.3.48, 6.1.0-6.1.27, 6.2.0-6.2.18, and 7.0.0-7.0.7. The CVSS 7.5 score reflects high-impact availability damage over the network with no privileges or user interaction, and at time of analysis no public exploit identified at time of analysis. The flaw was reported by VMware (Spring's maintainer) and is tracked under the official Spring Security advisory.
Information disclosure in Spring Framework's static resource resolution affects Spring MVC and WebFlux applications across four active release lines (5.3.x, 6.1.x, 6.2.x, and 7.0.x). Unauthenticated remote attackers exploiting this flaw can access sensitive cached content served through the static resource handling pipeline, achieving high confidentiality impact. No public exploit code or CISA KEV listing has been identified at time of analysis, and the AC:H vector indicates exploitation requires specific conditions beyond default network access.
Denial of Service in Spring WebFlux's multipart request processing allows unauthenticated remote attackers to exhaust server resources across all supported Spring Framework branches. Affects Spring Framework 5.3.x through 7.0.x when applications use the reactive WebFlux stack and expose endpoints that accept multipart data. No public exploit code has been identified at time of analysis, and CISA KEV listing is absent, but the network-reachable, zero-privilege attack surface warrants prompt patching for internet-facing WebFlux deployments.
Session fixation in Spring Framework's WebFlux reactive stack (versions 5.3.x through 7.0.x) enables a remote attacker to hijack an authenticated user's session by leveraging a compromised subdomain - typically via cross-site scripting - to plant a known session ID and exchange it for the victim's authenticated session post-login. The attack is classified as CWE-384 and requires both a prior subdomain compromise and user interaction, placing real-world exploitability well below the headline concern for most deployments. No public exploit code and no CISA KEV listing have been identified at time of analysis.
Predictable WebSocket session IDs in Spring Framework's spring-websocket module allow remote attackers to guess or forge session identifiers and, when paired with weak authorization rules, hijack or interact with other users' WebSocket sessions. The flaw affects Spring Framework 5.3.x, 6.1.x, 6.2.x, and 7.0.x prior to patched releases; no public exploit identified at time of analysis and EPSS is very low (0.03%).
Authentication bypass in Spring LDAP's DirContextAuthenticationStrategy allows remote unauthenticated attackers to succeed at LDAP bind operations by supplying any non-empty username paired with an empty or null password, due to the framework failing to reject such anonymous-equivalent bind requests. Affected releases span Spring LDAP 2.4.0-2.4.4, 3.2.0-3.2.17, 3.3.0-3.3.7, and 4.0.0-4.0.3, putting Java applications that delegate authentication to these libraries at risk of impersonating arbitrary users. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Stateful retry cache exhaustion in Spring Retry 1.3.0-1.3.4 and 2.0.0-2.0.12 allows an unauthenticated remote attacker to permanently disable all retry and circuit breaker logic application-wide by flooding the service with uniquely crafted failure-triggering requests until the bounded cache is saturated. Once exhausted, the cache enters a terminal rejection state that persists until the application is restarted - making this a durable, high-impact denial-of-service condition against Java services relying on Spring Retry for resilience. No public exploit has been identified at time of analysis, and CISA KEV listing is absent, but the network-accessible unauthenticated attack surface makes this relevant to any internet-facing Spring application using stateful retry patterns.
Unauthenticated remote access to the Source Connection Test endpoint in DTStack Taier up to 1.4.0 is possible because the `preHandle` method in `LoginInterceptor.java` does not invoke `tokenService.decryption(token)`, allowing any network-reachable caller to bypass authentication entirely. The same patch commit reveals that `ConnFactory.getSimpleConn()` also lacked JDBC URL sanitization, meaning an unauthenticated attacker could supply dangerous parameters such as `autoDeserialize` or `allowLoadLocalInfile` to a malicious MySQL-compatible server, elevating the real-world impact well above the assigned CVSS 5.5 Medium rating. Publicly available exploit code exists (CVSS E:P confirmed); no CISA KEV listing is confirmed at time of analysis.
Reflected cross-site scripting in SAP NetWeaver JAVA's JDBC Test Servlet enables unauthenticated remote attackers to craft malicious URLs that execute arbitrary JavaScript in a victim's browser upon interaction. The Changed Scope (S:C) in the CVSS vector indicates the injected script can affect browser context beyond the vulnerable origin, enabling session theft, credential harvesting, or unauthorized modification of webclient data. No public exploit code has been identified at time of analysis, and this vulnerability has not been listed in the CISA KEV catalog.
Path traversal in SAP NetWeaver Application Server Java's Web Container allows unauthenticated remote attackers to manipulate file inclusion parameters within crafted HTTP logon requests, leading to inclusion and processing of arbitrary local files. Successful exploitation can expose or modify sensitive data and render portions of the server unavailable, with no public exploit identified at time of analysis but a CVSS of 9.0 reflecting full CIA impact with scope change.
DNS cache poisoning in Netty's resolver component (io.netty:netty-resolver-dns) enables remote unauthenticated attackers to redirect downstream application traffic to attacker-controlled IPs through a Kaminsky-style spoofing attack. The vulnerability combines two compounding weaknesses present in the default configuration: DNS transaction IDs shuffled with a mathematically predictable Linear Congruential Generator (ThreadLocalRandom), and a static UDP source port resulting from the default ChannelPerResolver channel strategy. No public exploit has been identified at time of analysis and the issue is not listed in CISA KEV, but the Netty project rated it high severity and released fixes in versions 4.1.135.Final and 4.2.15.Final.
File descriptor exhaustion in Netty's Unix domain socket native transport allows a local peer to leak two file descriptors per crafted SCM_RIGHTS message into the receiving process, with neither FD ever closed. Affected are applications explicitly configured with DomainSocketReadMode.FILE_DESCRIPTORS on Epoll or KQueue DomainSocketChannel - a non-default opt-in setting. Sustained message flooding by a local socket peer can exhaust the Netty process's file descriptor table, ultimately causing denial of service. No public exploit identified at time of analysis and not listed in CISA KEV; CVSS scores this at 4.0 (Low) reflecting the local-only attack surface and low availability impact.
Improper authorization in Mohammed-eid35's bank-management-system-springboot exposes the Transaction Endpoint to low-privileged authenticated remote attackers, enabling unauthorized access to or manipulation of financial transaction records belonging to other users. All versions up to commit 7b9bcc65ad7df3db29af71aed9bb500e5f24d948 are affected, with publicly available exploit code disclosed via GitHub issue #8. No patch has been released - the maintainer has not responded to the responsible disclosure report - making this an unresolved risk for any organization running this application.
Open redirect in JeecgBoot's ThirdLoginController (versions 3.9.0-3.9.2) allows remote attackers to manipulate the OAuth `state` parameter and redirect victims to attacker-controlled URLs via the third-party login flow. The vendor's own assessment confirms low real-world exploitability: successful exploitation requires social engineering to induce victims into clicking a crafted OAuth login link, and the affected third-party login feature (DingTalk, WeChat) is optional and likely disabled in most deployments. Publicly available exploit code exists, but no KEV listing indicates active exploitation campaigns at time of analysis.
Open redirect in hs-web hsweb-framework's OAuth2Client component (versions up to 5.0.1) allows remote unauthenticated attackers to redirect victims to attacker-controlled URLs by supplying a crafted redirect_uri during OAuth2 authorization flows. The root cause is a naive prefix-based string comparison using startsWith() in OAuth2Client.java, which trivially allows bypass via domain-prefix spoofing (e.g., registering https://app.example.com.attacker.com when the legitimate URI is https://app.example.com). Publicly available exploit code exists per GitHub issue #354 and CVSS E:P; no public exploit identified at time of analysis in CISA KEV, and the CVSS 4.0 score of 2.1 reflects the limited impact and required user interaction.
Server-side request forgery in jishenghua jshERP up to version 3.6 allows a remote, highly-privileged attacker to manipulate the 'platformValue' argument of the platformConfig Add Endpoint, causing the server to issue forged HTTP requests to internal or external targets. The CVSS 4.0 base score of 2.0 reflects the high privilege requirement (PR:H), but exploitation is simplified by low complexity and no user interaction. A publicly available exploit exists (E:P confirmed in CVSS vector), and the project maintainer has not responded to the responsible disclosure issue filed on GitHub.
Path traversal in hsweb-framework up to version 5.0.1 allows authenticated remote attackers to write files outside the intended upload directory by manipulating the filename argument in the file upload component. The root cause is insufficient sanitization of path sequences — including URL-encoded variants (`..%2F`) and Windows-style backslashes (`..\`) — in the `denied` function of `FileUploadProperties.java`. A public exploit has been disclosed via GitHub issue #344, and a patch commit is available; no KEV listing indicates opportunistic rather than confirmed mass exploitation.
Path traversal in jishenghua jshERP up to version 3.6 allows authenticated remote attackers to manipulate the `fileName` argument at the `addAccountHeadAndDetail` endpoint, producing limited but confirmed integrity and availability impacts (I:L/A:L). The vulnerability is in `AccountHeadService.java` within the Java ERP application, and a proof-of-concept exploit has been publicly disclosed via the project's GitHub issue tracker. The vendor had not responded to the responsible disclosure at time of reporting, and no patch is available.
Information disclosure in JeecgBoot up to 3.9.2 allows authenticated remote attackers to extract password salt values by manipulating the `salt` argument in the `queryPageList` function of the User List Endpoint (`SysUserController.java`). While the CVSS score is low (3.1) due to high attack complexity and a low-privilege authentication requirement, a publicly available proof-of-concept (GitHub issue #9648) exists and no vendor patch has been released - only one planned for a future version. Exposure of salt values is particularly sensitive as it can facilitate offline password hash cracking if hashes are separately obtained.
Truncation of chunked Oblivious HTTP (OHTTP) streams in netty-incubator-codec-ohttp prior to 0.0.22.Final silently passes partial, cryptographically-incomplete messages to the receiving application with no decryption error or exception. An on-path adversary - the OHTTP relay itself or a MITM on the relay↔gateway or relay↔client transport - can cut a legitimate chunked-OHTTP message at any non-final chunk boundary and cleanly close the outer HTTP body, bypassing the cryptographic integrity guarantee the final-chunk marker is designed to provide. No public exploit is identified (CVSS E:U) and no CISA KEV listing exists, but the integrity impact is rated High (VI:H) given that receivers silently accept and may act on structurally incomplete messages.
Incorrect native memory address resolution in Netty's Oblivious HTTP (OHTTP) BoringSSL JNI bridge allows unauthenticated remote attackers to corrupt memory belonging to concurrent connections and disclose the contents of adjacent pooled direct buffers - including HPKE encryption key material - on affected OHTTP gateways. The flaw exists in versions prior to 0.0.22.Final of netty-incubator-codec-ohttp and is only reachable when the JVM is configured to deny `sun.misc.Unsafe` access, causing the vulnerable fallback address-resolution path to activate. This directly undermines the confidentiality guarantees Oblivious HTTP is designed to provide; no public exploit code exists and the vulnerability is not listed in the CISA KEV catalog (CVSS 4.0 E:U).
Unsafe deserialization in Apache Fory fory-core Java SDK versions prior to 1.1.0 allows remote attackers to bypass the framework's class registration, TypeChecker, and DisallowedList security controls on Java/JVM platforms. By crafting malicious Fory-serialized payloads that exercise the replace-resolve path, an attacker can invoke arbitrary readResolve/readExternal hooks on any class present on the classpath, enabling gadget-chain abuse without authentication. No public exploit identified at time of analysis, but the CVSS 9.1 score and CWE-502 classification reflect the high impact typical of Java deserialization sinks.
Server-side request forgery in crmeb_java 1.4 allows remote unauthenticated attackers to manipulate the base64 Qrcode endpoint's url parameter, causing the server to issue arbitrary outbound HTTP requests via Spring's RestTemplate.getForEntity. The affected component (RestTemplateUtil.java) passes attacker-controlled input directly to the HTTP client without URL validation or allowlisting, enabling internal network reconnaissance, cloud metadata service probing, and potential lateral movement. A public exploit has been disclosed via GitHub issue #35; no vendor patch exists as the project has not responded to the responsible disclosure report.
Sandbox escape in alf.io ticket reservation system prior to version 2.0-M5-2606 allows an authenticated administrator to break out of the Rhino JavaScript extension engine and execute arbitrary OS commands on the host. The flaw stems from an unguarded injected `returnClass` Java object combined with an incomplete AST blocklist, enabling reflection-based escape without triggering validation. No public exploit identified at time of analysis, but the vendor advisory (GHSA-3w8f-mcf6-cm7h) confirms the issue and a patched release is available.
Stored cross-site scripting in CordysCRM (1Panel-dev, versions up to 1.4.1) allows an authenticated remote attacker to inject malicious scripts via the unvalidated Description parameter in the ModuleFormController's Save function. The payload persists to the database and executes in any victim's browser upon viewing the affected module form, enabling session hijacking, credential theft, or UI-based phishing. A publicly available proof-of-concept exists (GitHub issue #2233); no public exploitation at scale has been confirmed, and an official vendor patch is available as of v1.7.0.
Command injection in elunez eladmin's Application Deployment Module (App.java) allows authenticated remote attackers with low privileges to execute arbitrary operating system commands by manipulating the `uploadPath` argument. All versions up to and including 2.7 are affected per the CPE record. A public proof-of-concept exploit exists (referenced via GitHub issue #899), though no public exploit identified at time of analysis as confirmed active exploitation (CISA KEV). The vendor has not responded to the coordinated disclosure, leaving no official patch available.
Cross-site scripting in 1Panel-dev CordysCRM versions up to 1.6.2 allows a high-privileged authenticated attacker to inject unescaped HTML payloads through request parameters processed by the Jackson string deserializer in RequestParamTrimConfig.java. The root cause is a global XSS escape toggle (xss.escape.all.enabled) that was disabled by default, meaning all incoming string parameters were returned without HTML sanitization. Publicly available exploit code exists (CVSS E:P, confirmed by VulDB disclosure), though the vulnerability has not been listed in CISA KEV and real-world impact is constrained by the high privilege requirement and passive user interaction dependency.
Cross-site scripting in westboy CicadasCMS Task Scheduling Management Module allows a high-privileged, authenticated attacker to inject malicious script payloads via the ScheduleJobController component that execute in a victim user's browser upon viewing the affected page. The vulnerability carries a CVSS base score of just 2.4, reflecting the steep access barriers of required high privileges (PR:H) and mandatory user interaction (UI:R), though a publicly available proof-of-concept exploit exists on the Gitee issue tracker. No active exploitation has been confirmed by CISA KEV, and the vendor has not responded to the responsible disclosure report, meaning no patch is available at time of analysis.
Lockdown mode bypass in Google Android exposes protected information via a logic error in KeyguardViewMediator.java that allows screen pinning to circumvent lockdown protections. Affected versions span Android 14, 15, 16, and 16-qpr2, with exploitation requiring only local low-privileged access and no user interaction. No public exploit has been identified at time of analysis, and the CVSS score of 3.3 reflects a limited-scope, local-only confidentiality impact.