| CVE-2026-59269 | low | 3.8 | A user authenticating to Kubernetes clusters via the Pinniped Supervisor could potentially gain elev… | Jul 9, 2026 | Jul 9, 2026 |
| CVE-2026-47835 | high | 8.6 | In Spring AI Vector Stores, special characters could be used to force the execution of arbitrary que… | Jun 15, 2026 | Jun 17, 2026 |
| CVE-2026-41856 | high | 7.5 | The Spring GraphQL annotation detection mechanism for @Controller data fetchers may not correctly re… | Jun 11, 2026 | Jun 30, 2026 |
| CVE-2026-41700 | high | 8.1 | Spring for GraphQL applications that have enabled the WebSocket transport are vulnerable to Cross-Si… | Jun 11, 2026 | Jun 30, 2026 |
| CVE-2026-41699 | high | 8.1 | Spring for GraphQL applications are vulnerable to Unsafe Deserialization when processing paginated G… | Jun 11, 2026 | Jun 30, 2026 |
| CVE-2026-47838 | medium | 6.8 | SubjectDnX509PrincipalExtractor does not correctly handle certain malformed X.509 certificate CN val… | Jun 10, 2026 | Jun 30, 2026 |
| CVE-2026-41837 | medium | 5.3 | Spring Data REST's Querydsl integration accepts arbitrary persistent property paths as request-param… | Jun 10, 2026 | Jun 30, 2026 |
| CVE-2026-41732 | high | 8.1 | JsonPulsarHeaderMapper matched type headers against trusted packages using a prefix check, meaning t… | Jun 10, 2026 | Jun 27, 2026 |
| CVE-2026-41730 | medium | 5.3 | Spring Data REST serializes the full exception cause chain into HTTP error response bodies, potentia… | Jun 10, 2026 | Jun 30, 2026 |
| CVE-2026-41729 | high | 8.1 | Spring Data REST is vulnerable to SpEL expression injection through map-typed properties when proces… | Jun 10, 2026 | Jun 22, 2026 |
| CVE-2026-41728 | high | 7.5 | Spring Data REST's JSON Patch (application/json-patch+json) implementation does not apply the write-… | Jun 10, 2026 | Jun 30, 2026 |
| CVE-2026-41727 | medium | 6.5 | Spring Kafka's retry topic infrastructure did not sufficiently validate user-controlled header value… | Jun 10, 2026 | Jun 27, 2026 |
| CVE-2026-41717 | high | 8.1 | Spring Data MongoDB contains a SpEL (Spring Expression Language) expression injection vulnerability.… | Jun 10, 2026 | Jun 30, 2026 |
| CVE-2026-41706 | medium | 6.1 | Spring Security's CookieRequestCache and CookieServerRequestCache store the pre-authentication reque… | Jun 10, 2026 | Jun 27, 2026 |
| CVE-2026-41696 | medium | 5.9 | Spring Data MongoDB repository query methods annotated with @Query that use regex parameter binding … | Jun 10, 2026 | Jun 22, 2026 |
| CVE-2026-41694 | low | 3.7 | Since Spring Security SAML decrypts SAML Responses as well as elements of SAML LogoutRequests and Lo… | Jun 10, 2026 | Jun 27, 2026 |
| CVE-2026-41008 | medium | 6.1 | Spring Security Authorization Server's authorization endpoint performs insufficient validation of th… | Jun 10, 2026 | Jun 27, 2026 |
| CVE-2026-41003 | high | 7.6 | An attacker able to influence values in RelyingPartyRegistration may be able to run arbitrary code o… | Jun 10, 2026 | Jun 27, 2026 |
| CVE-2026-40993 | high | 7.3 | An attacker with write permissions to the database table managed by JdbcAssertingPartyMetadataReposi… | Jun 10, 2026 | Jun 27, 2026 |
| CVE-2026-40988 | high | 7.5 | An application using spring-security-saml2-service-provider and the REDIRECT binding for SAML 2.0 Lo… | Jun 10, 2026 | Jun 27, 2026 |
| CVE-2026-41855 | high | 8.1 | In an untrusted JMS environment, org.springframework.jms.support.converter.MappingJackson2MessageCon… | Jun 9, 2026 | Jun 29, 2026 |
| CVE-2026-41854 | medium | 4.2 | Due to incorrect host parsing, applications that rely on UriComponentsBuilder to parse and validate … | Jun 9, 2026 | Jun 27, 2026 |
| CVE-2026-41853 | medium | 5.3 | Spring MVC and WebFlux applications are vulnerable to Multipart request smuggling attacks.
Affected… | Jun 9, 2026 | Jun 27, 2026 |
| CVE-2026-41852 | low | 3.7 | A vulnerability in Spring Expression Language (SpEL) evaluation logic allows for arbitrary zero-argu… | Jun 9, 2026 | Jun 27, 2026 |
| CVE-2026-41851 | medium | 5.3 | Applications which accept user-supplied Spring Expression Language (SpEL) expressions may be vulnera… | Jun 9, 2026 | Jun 27, 2026 |