Skip to main content

Spring Integration

3 CVEs product

Monthly

CVE-2026-40987 HIGH PATCH This Week

Path traversal in Spring Integration's FTP/SFTP/SMB inbound adapters allows a malicious or compromised remote file server to write attacker-controlled files outside the configured local directory on any client polling it, affecting versions 5.5.0-5.5.20, 6.3.0-6.3.14, 6.4.0-6.4.11, 6.5.0-6.5.8, and 7.0.0-7.0.4. The flaw inverts the usual trust model - the file-transfer client trusts the server's filename, enabling overwrite of arbitrary host files such as configuration, cron, or application JARs, which can escalate to code execution. No public exploit identified at time of analysis, but the issue is straightforward to weaponize once a hostile server endpoint is reachable.

Path Traversal Java Spring Integration
NVD VulDB HeroDevs
CVSS 3.1
7.1
EPSS
0.0%
CVE-2020-5413 Maven CRITICAL PATCH Act Now

Spring Integration framework provides Kryo Codec implementations as an alternative for Java (de)serialization. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Java Deserialization Spring Integration Banking Corporate Lending Process Management Banking Credit Facilities Process Management +5
NVD
CVSS 3.1
9.8
EPSS
4.4%
CVE-2019-3772 Maven CRITICAL PATCH Act Now

Spring Integration (spring-integration-xml and spring-integration-ws modules), versions 4.3.18, 5.0.10, 5.1.1, and older unsupported versions, were susceptible to XML External Entity Injection (XXE). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Java Spring Integration Retail Customer Management And Segmentation Foundation
NVD
CVSS 3.0
9.8
EPSS
3.0%
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Path traversal in Spring Integration's FTP/SFTP/SMB inbound adapters allows a malicious or compromised remote file server to write attacker-controlled files outside the configured local directory on any client polling it, affecting versions 5.5.0-5.5.20, 6.3.0-6.3.14, 6.4.0-6.4.11, 6.5.0-6.5.8, and 7.0.0-7.0.4. The flaw inverts the usual trust model - the file-transfer client trusts the server's filename, enabling overwrite of arbitrary host files such as configuration, cron, or application JARs, which can escalate to code execution. No public exploit identified at time of analysis, but the issue is straightforward to weaponize once a hostile server endpoint is reachable.

Path Traversal Java Spring Integration
NVD VulDB HeroDevs
EPSS 4% CVSS 9.8
CRITICAL PATCH Act Now

Spring Integration framework provides Kryo Codec implementations as an alternative for Java (de)serialization. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Java Deserialization Spring Integration +7
NVD
EPSS 3% CVSS 9.8
CRITICAL PATCH Act Now

Spring Integration (spring-integration-xml and spring-integration-ws modules), versions 4.3.18, 5.0.10, 5.1.1, and older unsupported versions, were susceptible to XML External Entity Injection (XXE). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Java Spring Integration +1
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy