The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.
For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.
Legal Disclaimer:
Here is where you can read the NVD legal disclaimer.
-
CVE-2026-41721 - Spring Data Commons contains a vulnerability that can lead to a Denial of Service (DoS) condition if Spring Data Web Support is enabled in conjunction with a Controller method using @ProjectedPayload, when an attacker sends a specially crafted HTT... read CVE-2026-41721
Published: June 09, 2026; 8:16:51 PM -0400 -
CVE-2026-41728 - Spring Data REST's JSON Patch (application/json-patch+json) implementation does not apply the write-access filter to intermediate path segments when resolving a multi-segment JSON Pointer. Affected versions: Spring Data REST 3.7.0 through 3.7.19;... read CVE-2026-41728
Published: June 09, 2026; 8:16:52 PM -0400 -
CVE-2026-41729 - Spring Data REST is vulnerable to SpEL expression injection through map-typed properties when processing JSON Patch (application/json-patch+json) requests. When a persistent entity exposes a Map-typed property, the JSON Pointer path segment used a... read CVE-2026-41729
Published: June 09, 2026; 8:16:52 PM -0400 -
CVE-2026-41730 - Spring Data REST serializes the full exception cause chain into HTTP error response bodies, potentially exposing persistence-layer internals to HTTP clients. Affected versions: Spring Data REST 3.7.0 through 3.7.19; 4.3.0 through 4.3.16; 4.4.0 th... read CVE-2026-41730
Published: June 09, 2026; 8:16:52 PM -0400 -
CVE-2026-41837 - Spring Data REST's Querydsl integration accepts arbitrary persistent property paths as request-parameter filter keys and does not consider Jackson customizations before handing them to Querydsl. Affected versions: Spring Data REST 3.7.0 through 3... read CVE-2026-41837
Published: June 09, 2026; 8:16:52 PM -0400 -
CVE-2026-41699 - Spring for GraphQL applications are vulnerable to Unsafe Deserialization when processing paginated GraphQL queries. An attacker can craft a malicious GraphQL request that can lead to Remote Code Execution when the application exposes a paginated (... read CVE-2026-41699
Published: June 11, 2026; 3:16:28 AM -0400V3.1: 9.8 CRITICAL
-
CVE-2026-41700 - Spring for GraphQL applications that have enabled the WebSocket transport are vulnerable to Cross-Site WebSocket Hijacking. An attacker can trick an authenticated user into visiting a malicious page, allowing the attacker to execute arbitrary Grap... read CVE-2026-41700
Published: June 11, 2026; 3:16:28 AM -0400 -
CVE-2026-41856 - The Spring GraphQL annotation detection mechanism for @Controller data fetchers may not correctly resolve annotations on methods within type hierarchies. This can be an issue if such annotations are used for authorization decisions. When all condi... read CVE-2026-41856
Published: June 11, 2026; 3:16:28 AM -0400 -
CVE-2026-41719 - A SpEL Injection vulnerability exists in the Spring Data KeyValue if unsanitized user input is passed as Sort into a repository query method that delegates evaluation to the SpelPropertyComparator. Affected versions: Spring Data KeyValue / Spring... read CVE-2026-41719
Published: June 09, 2026; 8:16:51 PM -0400 -
CVE-2026-40993 - An attacker with write permissions to the database table managed by JdbcAssertingPartyMetadataRepository (saml2_asserting_party_metadata) may be able to store malicious serialized payloads in the columns containing the collection of verification o... read CVE-2026-40993
Published: June 09, 2026; 8:16:50 PM -0400V3.1: 7.2 HIGH
-
CVE-2026-41003 - An attacker able to influence values in RelyingPartyRegistration may be able to run arbitrary code on HTML forms generated by Spring Security filters. Affected versions: Spring Security 5.7.0 through 5.7.23; 5.8.0 through 5.8.25; 6.3.0 through 6.... read CVE-2026-41003
Published: June 09, 2026; 8:16:50 PM -0400V3.1: 5.4 MEDIUM
-
CVE-2026-41008 - Spring Security Authorization Server's authorization endpoint performs insufficient validation of the request_uri parameter. An attacker can craft a malicious authorization request containing an invalid request_uri and an arbitrary, unvalidated re... read CVE-2026-41008
Published: June 09, 2026; 8:16:50 PM -0400 -
CVE-2026-41694 - Since Spring Security SAML decrypts SAML Responses as well as elements of SAML LogoutRequests and LogoutResponses without requiring a valid signature, attackers may be able to craft these SAML payloads and use the Service Provider as a decryption ... read CVE-2026-41694
Published: June 09, 2026; 8:16:50 PM -0400V3.1: 5.3 MEDIUM
-
CVE-2026-41695 - Spring Data Commons applications may be vulnerable to denial of service through resource exhaustion when attacker-controlled property path strings are passed to MappingContext property path resolution. Affected versions: Spring Data Commons 4.0.0... read CVE-2026-41695
Published: June 09, 2026; 8:16:50 PM -0400 -
CVE-2026-41696 - Spring Data MongoDB repository query methods annotated with @Query that use regex parameter binding perform insufficient validation of the bound parameter. An attacker can supply a crafted string to break out of the intended regular expression quo... read CVE-2026-41696
Published: June 09, 2026; 8:16:50 PM -0400 -
CVE-2026-41706 - Spring Security's CookieRequestCache and CookieServerRequestCache store the pre-authentication request URL in a browser cookie so that users can be redirected back to their intended destination after a successful login. In affected versions, the f... read CVE-2026-41706
Published: June 09, 2026; 8:16:51 PM -0400 -
CVE-2026-41711 - Applications using Spring Data Commons may be vulnerable to a Denial of Service (DoS) attack leading to a StackOverflowException when parsing Sort parameters. Affected versions: Spring Data Commons 4.0.0 through 4.0.5; 3.5.0 through 3.5.11; 3.4.0... read CVE-2026-41711
Published: June 09, 2026; 8:16:51 PM -0400 -
CVE-2026-41716 - Spring Data's internal property-lookup cache accepts and permanently retains attacker-supplied strings as cache keys, allowing heap exhaustion through repeated requests. Affected versions: Spring Data Commons 2.7.0 through 2.7.19; 3.3.0 through 3... read CVE-2026-41716
Published: June 09, 2026; 8:16:51 PM -0400 -
CVE-2026-41717 - Spring Data MongoDB contains a SpEL (Spring Expression Language) expression injection vulnerability. The issue occurs during parameter binding when a user-defined repository query method is annotated with @Query and utilizes a capture-all placehol... read CVE-2026-41717
Published: June 09, 2026; 8:16:51 PM -0400 -
CVE-2026-40988 - An application using spring-security-saml2-service-provider and the REDIRECT binding for SAML 2.0 Login or Logout may be vulnerable to a denial of service by way of an unbounded writer that inflates the compressed SAML payload into memory. Affect... read CVE-2026-40988
Published: June 09, 2026; 8:16:49 PM -0400