Skip to main content

Spring Data Commons

7 CVEs product

Monthly

CVE-2026-41721 MEDIUM PATCH This Month

Uncontrolled resource consumption in Spring Data Commons exposes applications to a remote Denial of Service condition when two specific features are active simultaneously. An unauthenticated remote attacker can send a specially crafted HTTP request to any endpoint backed by a @ProjectedPayload-annotated controller method, triggering unbounded memory allocation that exhausts the JVM heap and crashes the application. The vulnerability spans eight major release lines (2.7.x through 4.0.x), making the potential blast radius broad across Spring-based Java backends. No public exploit code or CISA KEV listing has been identified at time of analysis, and the CVSS attack complexity rating of High reflects non-trivial preconditions that meaningfully limit opportunistic exploitation.

Denial Of Service Java Spring Data Commons
NVD HeroDevs
CVSS 3.1
5.9
EPSS
0.2%
CVE-2026-41716 HIGH PATCH This Week

Denial-of-service in Spring Data Commons (versions 2.7.0-4.0.5) allows remote unauthenticated attackers to exhaust JVM heap memory by repeatedly submitting unique property-name strings that are permanently retained in an internal property-lookup cache. The flaw maps to CWE-770 (Allocation of Resources Without Limits or Throttling) and carries a CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) reflecting purely availability impact. No public exploit identified at time of analysis and the issue is not currently listed in CISA KEV.

Denial Of Service Java Spring Data Commons
NVD HeroDevs
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-41711 MEDIUM PATCH This Month

Denial of Service in Spring Data Commons affects applications that parse Sort parameters, triggering a StackOverflowException via crafted input. All major supported and legacy branches from 2.7.x through 4.0.x are affected, making the blast radius exceptionally broad across the Spring ecosystem. CVSS rates this Medium (5.9) with a high attack complexity qualifier (AC:H), unauthenticated network access (PR:N), and full availability impact (A:H); no active exploitation is confirmed and no public exploit code has been identified at time of analysis.

Denial Of Service Java Spring Data Commons
NVD HeroDevs VulDB
CVSS 3.1
5.9
EPSS
0.1%
CVE-2026-41695 HIGH This Week

Denial of service in Spring Data Commons 3.4.x, 3.5.x, and 4.0.x allows remote unauthenticated attackers to exhaust server resources by supplying crafted property path strings that the MappingContext resolves inefficiently. The flaw is reachable wherever applications expose property path parsing to untrusted input, and with CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) it is trivially triggerable, though no public exploit identified at time of analysis and the issue is not on the CISA KEV list.

Denial Of Service Java Spring Data Commons
NVD VulDB HeroDevs
CVSS 3.1
7.5
EPSS
0.0%
CVE-2018-1259 Maven HIGH PATCH This Week

Spring Data Commons, versions 1.13 prior to 1.13.12 and 2.0 prior to 2.0.7, used in combination with XMLBeam 1.4.14 or earlier versions, contains a property binder vulnerability caused by improper. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Java Spring Data Commons Spring Data Rest Xmlbeam
NVD VulDB
CVSS 3.0
7.5
EPSS
5.0%
CVE-2018-1274 Maven HIGH PATCH This Week

Spring Data Commons, versions 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property path parser vulnerability caused by unlimited resource allocation. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.

Java Denial Of Service Spring Data Commons Spring Data Rest
NVD
CVSS 3.1
7.5
EPSS
2.0%
CVE-2018-1273 Maven CRITICAL POC KEV PATCH THREAT Act Now

Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property binder vulnerability caused by improper neutralization of special elements. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available.

Java Code Injection RCE Spring Data Commons Spring Data Rest +2
NVD VulDB
CVSS 3.1
9.8
EPSS
95.6%
Threat
7.8
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Uncontrolled resource consumption in Spring Data Commons exposes applications to a remote Denial of Service condition when two specific features are active simultaneously. An unauthenticated remote attacker can send a specially crafted HTTP request to any endpoint backed by a @ProjectedPayload-annotated controller method, triggering unbounded memory allocation that exhausts the JVM heap and crashes the application. The vulnerability spans eight major release lines (2.7.x through 4.0.x), making the potential blast radius broad across Spring-based Java backends. No public exploit code or CISA KEV listing has been identified at time of analysis, and the CVSS attack complexity rating of High reflects non-trivial preconditions that meaningfully limit opportunistic exploitation.

Denial Of Service Java Spring Data Commons
NVD HeroDevs
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial-of-service in Spring Data Commons (versions 2.7.0-4.0.5) allows remote unauthenticated attackers to exhaust JVM heap memory by repeatedly submitting unique property-name strings that are permanently retained in an internal property-lookup cache. The flaw maps to CWE-770 (Allocation of Resources Without Limits or Throttling) and carries a CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) reflecting purely availability impact. No public exploit identified at time of analysis and the issue is not currently listed in CISA KEV.

Denial Of Service Java Spring Data Commons
NVD HeroDevs
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Denial of Service in Spring Data Commons affects applications that parse Sort parameters, triggering a StackOverflowException via crafted input. All major supported and legacy branches from 2.7.x through 4.0.x are affected, making the blast radius exceptionally broad across the Spring ecosystem. CVSS rates this Medium (5.9) with a high attack complexity qualifier (AC:H), unauthenticated network access (PR:N), and full availability impact (A:H); no active exploitation is confirmed and no public exploit code has been identified at time of analysis.

Denial Of Service Java Spring Data Commons
NVD HeroDevs VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Denial of service in Spring Data Commons 3.4.x, 3.5.x, and 4.0.x allows remote unauthenticated attackers to exhaust server resources by supplying crafted property path strings that the MappingContext resolves inefficiently. The flaw is reachable wherever applications expose property path parsing to untrusted input, and with CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) it is trivially triggerable, though no public exploit identified at time of analysis and the issue is not on the CISA KEV list.

Denial Of Service Java Spring Data Commons
NVD VulDB HeroDevs
EPSS 5% CVSS 7.5
HIGH PATCH This Week

Spring Data Commons, versions 1.13 prior to 1.13.12 and 2.0 prior to 2.0.7, used in combination with XMLBeam 1.4.14 or earlier versions, contains a property binder vulnerability caused by improper. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Java Spring Data Commons +2
NVD VulDB
EPSS 2% CVSS 7.5
HIGH PATCH This Week

Spring Data Commons, versions 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property path parser vulnerability caused by unlimited resource allocation. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.

Java Denial Of Service Spring Data Commons +1
NVD
EPSS 96% 7.8 CVSS 9.8
CRITICAL POC KEV PATCH THREAT Act Now

Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property binder vulnerability caused by improper neutralization of special elements. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available.

Java Code Injection RCE +4
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy