Skip to main content

Spring Data Mongodb

3 CVEs product

Monthly

CVE-2026-41717 HIGH PATCH This Week

Remote code execution risk in Spring Data MongoDB arises from a SpEL expression injection flaw (CWE-917) triggered during parameter binding for repository methods annotated with @Query that use a capture-all placeholder. With CVSS 8.1 (AV:N/AC:H/PR:N/UI:N) and no public exploit identified at time of analysis, unauthenticated attackers who can influence query parameters reaching such a method could execute arbitrary SpEL expressions on the server.

Code Injection Java Spring Data Mongodb
NVD HeroDevs
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-41696 MEDIUM PATCH This Month

Regex parameter binding in Spring Data MongoDB's @Query annotation fails to sufficiently quote user-supplied strings, enabling NoSQL injection that can manipulate query semantics. Unauthenticated remote attackers (PR:N, AV:N) who can influence the bound parameter in applications using this pattern may break out of the intended regular expression context to retrieve unintended documents, resulting in high-impact confidentiality compromise. No confirmed active exploitation or public exploit code has been identified at time of analysis; the CVSS Attack Complexity of High reflects a dependency on a specific application-level coding pattern.

Nosql Injection Information Disclosure Java Spring Data Mongodb
NVD VulDB HeroDevs
CVSS 3.1
5.9
EPSS
0.0%
CVE-2022-22980 Maven CRITICAL PATCH Act Now

A Spring Data MongoDB application is vulnerable to SpEL Injection when using @Query or @Aggregation-annotated query methods with SpEL expressions that contain query parameter placeholders for value. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java Code Injection Spring Data Mongodb
NVD
CVSS 3.1
9.8
EPSS
16.9%
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Remote code execution risk in Spring Data MongoDB arises from a SpEL expression injection flaw (CWE-917) triggered during parameter binding for repository methods annotated with @Query that use a capture-all placeholder. With CVSS 8.1 (AV:N/AC:H/PR:N/UI:N) and no public exploit identified at time of analysis, unauthenticated attackers who can influence query parameters reaching such a method could execute arbitrary SpEL expressions on the server.

Code Injection Java Spring Data Mongodb
NVD HeroDevs
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Regex parameter binding in Spring Data MongoDB's @Query annotation fails to sufficiently quote user-supplied strings, enabling NoSQL injection that can manipulate query semantics. Unauthenticated remote attackers (PR:N, AV:N) who can influence the bound parameter in applications using this pattern may break out of the intended regular expression context to retrieve unintended documents, resulting in high-impact confidentiality compromise. No confirmed active exploitation or public exploit code has been identified at time of analysis; the CVSS Attack Complexity of High reflects a dependency on a specific application-level coding pattern.

Nosql Injection Information Disclosure Java +1
NVD VulDB HeroDevs
EPSS 17% CVSS 9.8
CRITICAL PATCH Act Now

A Spring Data MongoDB application is vulnerable to SpEL Injection when using @Query or @Aggregation-annotated query methods with SpEL expressions that contain query parameter placeholders for value. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java Code Injection Spring Data Mongodb
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy