VMware VMware

  1. Vendors
  2. VMware

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any VMware product.

RSS Feeds for VMware security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in VMware products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by VMware Sorted by Most Security Vulnerabilities since 2018

VMware Spring Framework158 vulnerabilities

VMware Cloud Foundation123 vulnerabilities

VMware Workstation110 vulnerabilities

VMware ESXi94 vulnerabilities
VMware ESXi is a type-1 bare metal hypervisor.

VMware Fusion64 vulnerabilities

VMware Vcenter Server64 vulnerabilities

VMware Spring Security27 vulnerabilities

VMware Esx26 vulnerabilities

VMware Aria Operations22 vulnerabilities

VMware Vrealize Suite Lifecycle Manager17 vulnerabilities

VMware Telco Cloud Platform16 vulnerabilities

VMware Rabbitmq15 vulnerabilities

VMware Vrealize Operations14 vulnerabilities

VMware Telco Cloud Infrastructure12 vulnerabilities

VMware Aria Operations For Networks10 vulnerabilities

VMware Tools9 vulnerabilities

VMware Aria Operations For Logs8 vulnerabilities

VMware Vrealize Automation8 vulnerabilities

VMware Airwatch Console6 vulnerabilities

VMware Horizon Client6 vulnerabilities

VMware Server6 vulnerabilities

VMware Spring Cloud Gateway6 vulnerabilities

VMware Player5 vulnerabilities

VMware Aria Automation4 vulnerabilities

VMware Horizon Daas4 vulnerabilities

VMware Vcenter Server Appliance4 vulnerabilities

VMware Identity Manager3 vulnerabilities

VMware Remote Console3 vulnerabilities

VMware Vma3 vulnerabilities

VMware Ace2 vulnerabilities

VMware Carbon Black App Control2 vulnerabilities

VMware Cloud Director2 vulnerabilities

VMware Nsx2 vulnerabilities

VMware Rabbitmq Java Client2 vulnerabilities

Vmware Hcx2 vulnerabilities

VMware Sd Wan Edge1 vulnerability

VMware Spring Cloud Contract1 vulnerability

VMware Spring Cloud Data Flow1 vulnerability

Recent VMware Security Advisories

Advisory Title Published
2026-06-12 CVE-2026-47835 - High - CVE-2026-47835: Spring AI vector store metadata filtering to handle special characters in Elasticsearch, OpenSearch, and GemFire Vector Stores June 12, 2026
2026-06-11 CVE-2026-47825 - High - CVE-2026-47825: Spring Cloud Gateway Server Forwards Headers from Untrusted Proxies in certain situations June 11, 2026
2026-06-11 CVE-2026-41862 - High - CVE-2026-41862: Kryo deserialization of persisted context without class allowlist June 11, 2026
2026-06-11 CVE-2026-41708 - High - CVE-2026-41708: Spring Cloud Sleuth instrumentation of Spring TX DoS vulnerability June 11, 2026
2026-06-10 CVE-2026-40995 - Medium - CVE-2026-40995: X.509 authentication bypasses Spring Security account checks June 10, 2026
2026-06-10 CVE-2026-40987 - High - CVE-2026-40987: Remote-file synchronizer in Spring Integration writes server-supplied filename under localDirectory without canonicalization June 10, 2026
2026-06-10 CVE-2026-40996 - Medium - CVE-2026-40996: Inbound WS-Security allows RSA PKCS#1 v1.5 key transport by default June 10, 2026
2026-06-10 CVE-2026-40999 - High - CVE-2026-40999: Spring WS SSRF via unvalidated WS-Addressing reply destinations June 10, 2026
2026-06-10 CVE-2026-40986 - Medium - CVE-2026-40986: Spring Web Flow JS RemotingHandler renders non-HTML Response as HTML June 10, 2026
2026-06-10 CVE-2026-40997 - Medium - CVE-2026-40997: SOAP security faults leak Spring Security account state June 10, 2026

Known Exploited VMware Vulnerabilities

The following VMware vulnerabilities have recently been marked by CISA as Known to be Exploited by threat actors.

Title Description Added
VMware ESXi and Workstation TOCTOU Race Condition Vulnerability VMware ESXi and Workstation contain a time-of-check time-of-use (TOCTOU) race condition vulnerability that leads to an out-of-bounds write. Successful exploitation enables an attacker with local administrative privileges on a virtual machine to execute code as the virtual machine's VMX process running on the host.
CVE-2025-22224 Exploit Probability: 1.5% 		March 4, 2025
VMware ESXi Arbitrary Write Vulnerability VMware ESXi contains an arbitrary write vulnerability. Successful exploitation allows an attacker with privileges within the VMX process to trigger an arbitrary kernel write leading to an escape of the sandbox.
CVE-2025-22225 Exploit Probability: 1.0% 		March 4, 2025
VMware ESXi, Workstation, and Fusion Information Disclosure Vulnerability VMware ESXi, Workstation, and Fusion contain an information disclosure vulnerability due to an out-of-bounds read in HGFS. Successful exploitation allows an attacker with administrative privileges to a virtual machine to leak memory from the vmx process.
CVE-2025-22226 Exploit Probability: 1.7% 		March 4, 2025
VMware vCenter Server Heap-Based Buffer Overflow Vulnerability VMware vCenter Server contains a heap-based buffer overflow vulnerability in the implementation of the DCERPC protocol. This vulnerability could allow an attacker with network access to the vCenter Server to execute remote code by sending a specially crafted packet.
CVE-2024-38812 Exploit Probability: 53.5% 		November 20, 2024
VMware vCenter Server Privilege Escalation Vulnerability VMware vCenter contains an improper check for dropped privileges vulnerability. This vulnerability could allow an attacker with network access to the vCenter Server to escalate privileges to root by sending a specially crafted packet.
CVE-2024-38813 Exploit Probability: 14.6% 		November 20, 2024
VMware ESXi Authentication Bypass Vulnerability VMware ESXi contains an authentication bypass vulnerability. A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management by re-creating the configured AD group ('ESXi Admins' by default) after it was deleted from AD.
CVE-2024-37085 Exploit Probability: 26.8% 		July 30, 2024
VMware vCenter Server Incorrect Default File Permissions Vulnerability VMware vCenter Server contains an incorrect default file permissions vulnerability that allows a remote, privileged attacker to gain access to sensitive information.
CVE-2022-22948 Exploit Probability: 13.9% 		July 17, 2024
VMware vCenter Server Out-of-Bounds Write Vulnerability VMware vCenter Server contains an out-of-bounds write vulnerability in the implementation of the DCERPC protocol that allows an attacker to conduct remote code execution.
CVE-2023-34048 Exploit Probability: 99.2% 		January 22, 2024
VMware Tools Authentication Bypass Vulnerability VMware Tools contains an authentication bypass vulnerability in the vgauth module. A fully compromised ESXi host can force VMware Tools to fail to authenticate host-to-guest operations, impacting the confidentiality and integrity of the guest virtual machine. An attacker must have root access over ESXi to exploit this vulnerability.
CVE-2023-20867 Exploit Probability: 13.6% 		June 23, 2023
Vmware Aria Operations for Networks Command Injection Vulnerability VMware Aria Operations for Networks (formerly vRealize Network Insight) contains a command injection vulnerability that allows a malicious actor with network access to perform an attack resulting in remote code execution.
CVE-2023-20887 Exploit Probability: 98.1% 		June 22, 2023
VMware Spring Cloud Gateway Code Injection Vulnerability Spring Cloud Gateway applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured.
CVE-2022-22947 Exploit Probability: 98.3% 		May 16, 2022
VMware Multiple Products Privilege Escalation Vulnerability VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a privilege escalation vulnerability due to improper permissions in support scripts.
CVE-2022-22960 Exploit Probability: 37.2% 		April 15, 2022
VMware Workspace ONE Access and Identity Manager Server-Side Template Injection Vulnerability VMware Workspace ONE Access and Identity Manager allow for remote code execution due to server-side template injection.
CVE-2022-22954 Exploit Probability: 100.0% 		April 14, 2022
Spring Framework JDK 9+ Remote Code Execution Vulnerability Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding.
CVE-2022-22965 Exploit Probability: 99.7% 		April 4, 2022
VMware SD-WAN Edge by VeloCloud Command Injection Vulnerability VMware SD-WAN Edge by VeloCloud contains a command injection vulnerability in the local web UI component. Successful exploitation of this issue could result in remote code execution.
CVE-2018-6961 Exploit Probability: 86.4% 		March 25, 2022
VMware vCenter Server and Cloud Foundation Server Side Request Forgery (SSRF) Vulnerability VMware vCenter Server and Cloud Foundation Server contain a SSRF vulnerability due to improper validation of URLs in a vCenter Server plugin. This allows for information disclosure.
CVE-2021-21973 Exploit Probability: 88.0% 		March 7, 2022
VMware Server Side Request Forgery in vRealize Operations Manager API Server Side Request Forgery (SSRF) in vRealize Operations Manager API prior to 8.4 may allow a malicious actor with network access to the vRealize Operations Manager API to perform a SSRF attack to steal administrative credentials.
CVE-2021-21975 Exploit Probability: 78.4% 		January 18, 2022
VMware vCenter Server Improper Access Control Rhttproxy as used in vCenter Server contains a vulnerability due to improper implementation of URI normalization.
CVE-2021-22017 Exploit Probability: 46.7% 		January 10, 2022
VMware ESXi/Horizon DaaS Appliances Heap-Overwrite Vulnerability OpenSLP as used in ESXi and the Horizon DaaS appliances have a heap overwrite issue. A malicious actor with network access to port 427 on an ESXi host or on any Horizon DaaS management appliance may be able to overwrite the heap of the OpenSLP service resulting in remote code execution.
CVE-2019-5544 Exploit Probability: 96.8% 		November 3, 2021
VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector Comm VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector address have a command injection vulnerability.
CVE-2020-4006 Exploit Probability: 23.8% 		November 3, 2021

Of the known exploited vulnerabilities above, 9 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings. 8 known exploited VMware vulnerabilities are in the top 5% (95th percentile or greater) of the EPSS exploit probability rankings.

Top 10 Riskiest VMware Vulnerabilities

Based on the current exploit probability, these VMware vulnerabilities are on CISA's Known Exploited vulnerabilities list (KEV) and are ranked by the current EPSS exploit probability.

Rank CVE EPSS Vulnerability
1 CVE-2021-21985 100.0% VMware vCenter Server Remote Code Execution Vulnerability
2 CVE-2021-22005 100.0% VMware vCenter Server File Upload
3 CVE-2022-22954 100.0% VMware Workspace ONE Access and Identity Manager Server-Side Template Injection Vulnerability
4 CVE-2022-22965 99.7% Spring Framework JDK 9+ Remote Code Execution Vulnerability
5 CVE-2021-21972 99.6% VMware vCenter Server Remote Code Execution Vulnerability
6 CVE-2023-34048 99.2% VMware vCenter Server Out-of-Bounds Write Vulnerability
7 CVE-2022-22947 98.3% VMware Spring Cloud Gateway Code Injection Vulnerability
8 CVE-2023-20887 98.1% Vmware Aria Operations for Networks Command Injection Vulnerability
9 CVE-2019-5544 96.8% VMware ESXi/Horizon DaaS Appliances Heap-Overwrite Vulnerability
10 CVE-2020-3952 90.4% VMware vCenter Server Info Disclosure Vulnerability

By the Year

In 2026 there have been 119 vulnerabilities in VMware with an average score of 6.6 out of ten. Last year, in 2025 VMware had 39 security vulnerabilities published. That is, 80 more vulnerabilities have already been reported in 2026 as compared to last year. Last year, the average CVE base score was greater by 0.64




Year Vulnerabilities Average Score
2026 119 6.56
2025 39 7.20
2024 52 7.02
2023 72 7.31
2022 79 7.21
2021 77 7.29
2020 61 7.01
2019 31 7.15
2018 59 7.22

It may take a day or so for new VMware vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent VMware Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2026-47825 Jun 15, 2026
Spring Cloud Gateway XFF Header Forwarding Issue (3.1.13) Spring Cloud Gateway Server forwards the X-Forwarded-For and Forwarded headers from untrusted proxies in certain configuration scenarios. This affects both the WebMVC and WebFlux Gateway Servers. Affected versions: Spring Cloud Gateway 3.1.x (fix 3.1.13). Spring Cloud Gateway 4.1.x (fix 4.1.13). Spring Cloud Gateway 4.2.x (fix 4.2.9). Spring Cloud Gateway 4.3.x (fix 4.3.5). Spring Cloud Gateway 5.0.x (fix 5.0.2).
Spring Framework
CVE-2026-41708 Jun 15, 2026
DoS with crafted calls in Spring Cloud Sleuth 3.1.x (sleuth-instrumentation) In Spring Cloud Sleuth, it is possible for a user to provide specially crafted calls that may cause a denial-of-service (DoS) condition. The application is vulnerable when it uses a vulnerable version of org.springframework.cloud:spring-cloud-sleuth-instrumentation and Spring TX instrumentation is not disabled. Affected versions: Spring Cloud Sleuth 3.1.0 through 3.1.13.
Spring Framework
CVE-2026-47835 Jun 15, 2026
Spring AI Vector Store ES/OpenSearch/GemFire Query Injection v1.0.0-1.1.x (fixed 1.1.8) In Spring AI Vector Stores, special characters could be used to force the execution of arbitrary queries in Elasticsearch, OpenSearch, and GemFire VectorDB. Affected components: spring-ai-elasticsearch-store, spring-ai-opensearch-store, spring-ai-gemfire-store. Affected versions: Spring AI 1.0.0 through 1.0.x (fix 1.0.9). Spring AI 1.1.0 through 1.1.x (fix 1.1.8).
Spring Framework
CVE-2026-41856 Jun 11, 2026
Spring GraphQL 1.02.0.3 Annotation Harness flaw: @Sec annotations ignored in C2 inheritance The Spring GraphQL annotation detection mechanism for @Controller data fetchers may not correctly resolve annotations on methods within type hierarchies. This can be an issue if such annotations are used for authorization decisions. When all conditions are met, security annotations can be ignored at runtime. Affected versions: Spring for GraphQL 2.0.0 through 2.0.3; 1.4.0 through 1.4.5; 1.3.0 through 1.3.8; 1.0.0 through 1.0.6.
Spring Framework
CVE-2026-41700 Jun 11, 2026
Spring GraphQL WebSocket Hijacking (v1.02.0.3) Spring for GraphQL applications that have enabled the WebSocket transport are vulnerable to Cross-Site WebSocket Hijacking. An attacker can trick an authenticated user into visiting a malicious page, allowing the attacker to execute arbitrary GraphQL operations with the victim's credentials. Affected versions: Spring for GraphQL 2.0.0 through 2.0.3; 1.4.0 through 1.4.5; 1.3.0 through 1.3.8; 1.0.0 through 1.0.6.
Spring Framework
CVE-2026-41699 Jun 11, 2026
RCE via Unsafe Deserialization in Spring for GraphQL 1.32.0 Spring for GraphQL applications are vulnerable to Unsafe Deserialization when processing paginated GraphQL queries. An attacker can craft a malicious GraphQL request that can lead to Remote Code Execution when the application exposes a paginated (Connection) field and the classpath contains specific classes that can be leveraged during deserialization. Affected versions: Spring for GraphQL 2.0.0 through 2.0.3; 1.4.0 through 1.4.5; 1.3.0 through 1.3.8.
Spring Framework
CVE-2026-41001 Jun 11, 2026
Spring Boot Artemis DataDir Path Prediction 2.7.0-4.0.6 Local Attack Spring Boot's ArtemisEmbeddedConfigurationFactory uses a fixed, static path for the embedded Artemis message broker's data directory when no explicit path is configured. A local attacker on the same host can pre-create this predictable directory or place a symlink before the application starts. Affected versions: Spring Boot 4.0.0 through 4.0.6; 3.5.0 through 3.5.14; 3.4.0 through 3.4.16; 3.3.0 through 3.3.19; 2.7.0 through 2.7.33.
Spring Framework
CVE-2026-41000 Jun 11, 2026
Spring WS ReplayCache Wiring Flaw (5.0.x,4.1.x,4.0.x,3.1.x) Wss4jSecurityInterceptor did not consistently wire Apache WSS4J ReplayCache instances into RequestData for validation-time checks. As a result, protections against replay of UsernameToken nonces and creation timestamps, Timestamp elements, and certain SAML one-time-use semantics could be ineffective even when operators configured a replay cache on the interceptor. Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.
Spring Framework
CVE-2026-40999 Jun 11, 2026
Spring WS RCE via unsafe WS-Addressing ReplyTo/FaultTo (before 5.0.2) When WS-Addressing is used with non-anonymous ReplyTo or FaultTo addresses, Spring WS may initiate outbound connections through configured WebServiceMessageSender instances to destinations taken directly from request headers without verifying that those destinations are safe to connect to. Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.
Spring Framework
CVE-2026-40998 Jun 11, 2026
Spring WS 3.15.0 XXE via XpathTemplate & default JDK XML Parser Jaxp13XPathTemplate evaluated XPath expressions for StreamSource and SAXSource inputs using a code path that parsed attacker-controlled XML with the JDK's default DocumentBuilderFactory behavior instead of Spring's hardened parser configuration. Applications that evaluate XPath against untrusted XML payloads could therefore be exposed to XML External Entity (XXE) style attacks. Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.
Spring Framework
CVE-2026-40997 Jun 11, 2026
Spring WS 5.0.05.0.1 Detail Account State via Exception Messages in Spring Security Several Spring WS integration paths with Spring Security could surface detailed account state (for example locked or disabled user semantics) to remote SOAP clients through exception messages or callback outcomes, instead of failing with generic authentication errors. That behavior assists remote attackers in distinguishing valid accounts from invalid ones and inferring lifecycle state. Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.
Spring Framework
CVE-2026-40996 Jun 11, 2026
Spring Web Services 3.1.0-5.0.1 Insecure RSA PKCS#1 v1.5 Key Transport Default Wss4jSecurityInterceptor defaulted allowRSA15KeyTransportAlgorithm to true, overriding Apache WSS4J's safer default for validation RequestData. Inbound WS-Security decryption could therefore accept RSA PKCS#1 v1.5 (rsa-1_5) encrypted key material unless operators explicitly reconfigured the flag. Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.
Spring Framework
CVE-2026-40995 Jun 11, 2026
Spring Web Services 4.05.0 X509AuthProvider bypasses account state checks X509AuthenticationProvider could issue a fully authenticated X509AuthenticationToken when a presented certificate mapped to UserDetails, without applying Spring Security's standard account lifecycle checks (disabled, locked, expired, or credentials-expired accounts). Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.
Spring Framework
CVE-2026-40994 Jun 11, 2026
Spring WS Vulnerable: Wss4jSI Bypass WSS4J BSP (5.0.0-5.0.1,4.1.0-4.1.3) Wss4jSecurityInterceptor initialized its BSP (WS-I Basic Security Profile) compliance flag so that inbound validation disabled WSS4J BSP enforcement on RequestData. Services that validate WS-Security on the network could therefore accept messages that violate BSP rules, weakening protocol-level checks. Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.
Spring Framework
CVE-2026-40992 Jun 11, 2026
Spring Boot Mail Auto-Config missing hostname verification (3.4-4.0) Spring Boot's Mail auto-configuration does not enable hostname verification. Applications that set the relevant JavaMail property, such as spring.mail.properties.mail.smtp.ssl.checkserveridentity=true, are not affected. Affected versions: Spring Boot 4.0.0 through 4.0.6; 3.5.0 through 3.5.14; 3.4.0 through 3.4.16.
Spring Framework
CVE-2026-40987 Jun 11, 2026
Spring Integration 5.5.0-5.5.20 FTP/SFTP/SMB arbitrary file write A malicious or compromised FTP/SFTP/SMB server can write arbitrary files anywhere on the client filesystem (outside the configured local-directory) with attacker-controlled content. Affected versions: Spring Integration 7.0.0 through 7.0.4; 6.5.0 through 6.5.8; 6.4.0 through 6.4.11; 6.3.0 through 6.3.14; 5.5.0 through 5.5.20.
Spring Framework
CVE-2026-40986 Jun 11, 2026
SPRING WEB FLOW JS RemotingHandler XSS via Error Rendering (<4.0.0, 3.0.0-3.0.1, 2.5.0-2.5.1) Spring Web Flow's JavaScript RemotingHandler renders the body of an error response as HTML even when the response is not "text/html", which can result in a scripting attack in the user's browser if the error response from the server contains error details with input reflected from an attacker. Affected versions: Spring Web Flow 4.0.0; 3.0.0 through 3.0.1; 2.5.0 through 2.5.1.
Spring Framework
CVE-2026-40985 Jun 11, 2026
Spring Web Flow: EL Injection via WebFlowELExpressionParser (v4.0.0,3.x,2.x) Applications that configure the WebFlowELExpressionParser are vulnerable to the use of malicious Unified EL expressions. Affected versions: Spring Web Flow 4.0.0; 3.0.0 through 3.0.1; 2.5.0 through 2.5.1.
Spring Framework
CVE-2026-47838 Jun 09, 2026
Spring Security X.509 CN Mismatch: SubjectDnX509PrincipalExtractor (5.7-6.5) SubjectDnX509PrincipalExtractor does not correctly handle certain malformed X.509 certificate CN values, which can lead to reading the wrong value for the username. In a carefully crafted certificate, this can lead to an attacker impersonating another user. Affected versions: Spring Security 5.7.0 through 5.7.24; 5.8.0 through 5.8.26; 6.3.0 through 6.3.17; 6.4.0 through 6.4.17; 6.5.0 through 6.5.10.
Spring Framework
CVE-2026-41837 Jun 09, 2026
SPRING DATA REST 3.x5.0.x Querydsl Path Traversal via ARB PROP Keys Spring Data REST's Querydsl integration accepts arbitrary persistent property paths as request-parameter filter keys and does not consider Jackson customizations before handing them to Querydsl. Affected versions: Spring Data REST 3.7.0 through 3.7.19; 4.3.0 through 4.3.16; 4.4.0 through 4.4.14; 4.5.0 through 4.5.11; 5.0.0 through 5.0.5.
Spring Framework
CVE-2026-41732 Jun 09, 2026
Spring Pulsar JSON Header RCE: Trusted Package Prefix (2.0.5, 1.2.17, 1.1.17) JsonPulsarHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Additionally, an empty trusted-packages configuration fell back to trusting all packages rather than applying a safe default allow-list. Affected versions: Spring for Apache Pulsar 2.0.0 through 2.0.5; 1.2.0 through 1.2.17; 1.1.0 through 1.1.17.
Spring Framework
CVE-2026-41731 Jun 09, 2026
Spring for Apache Kafka 4.0.5 JDK deserialisation via header mapping JsonKafkaHeaderMapper and the deprecated DefaultKafkaHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Combined with Jackson's default bean deserialization, a producer could supply crafted header values that caused the consumer to deserialize arbitrary JDK types. Affected versions: Spring for Apache Kafka 4.0.0 through 4.0.5; 3.3.0 through 3.3.15; 3.2.0 through 3.2.13; 2.9.0 through 2.9.13; 2.8.0 through 2.8.11.
Spring Framework
CVE-2026-41730 Jun 09, 2026
Spring Data REST 3.7.05.0.5 exception cause chain leakage Spring Data REST serializes the full exception cause chain into HTTP error response bodies, potentially exposing persistence-layer internals to HTTP clients. Affected versions: Spring Data REST 3.7.0 through 3.7.19; 4.3.0 through 4.3.16; 4.4.0 through 4.4.14; 4.5.0 through 4.5.11; 5.0.0 through 5.0.5.
Spring Framework
CVE-2026-41729 Jun 09, 2026
Spring Data REST 3.7.0-5.0.5 JSON Patch SpEL Injection via Map Keys Spring Data REST is vulnerable to SpEL expression injection through map-typed properties when processing JSON Patch (application/json-patch+json) requests. When a persistent entity exposes a Map-typed property, the JSON Pointer path segment used as the map key is embedded directly into a SpEL expression without sanitization or validation. Affected versions: Spring Data REST 3.7.0 through 3.7.19; 4.3.0 through 4.3.16; 4.4.0 through 4.4.14; 4.5.0 through 4.5.11; 5.0.0 through 5.0.5.
Spring Framework
CVE-2026-41728 Jun 09, 2026
Spring Data REST JSON Patch WriteFilter Bypass 3.7-5.0.5 Spring Data REST's JSON Patch (application/json-patch+json) implementation does not apply the write-access filter to intermediate path segments when resolving a multi-segment JSON Pointer. Affected versions: Spring Data REST 3.7.0 through 3.7.19; 4.3.0 through 4.3.16; 4.4.0 through 4.4.14; 4.5.0 through 4.5.11; 5.0.0 through 5.0.5.
Spring Framework
CVE-2026-41727 Jun 09, 2026
Spring Kafka 2.8-4.0.5 retry_topic header validation flaw Spring Kafka's retry topic infrastructure did not sufficiently validate user-controlled header values before acting on them. A producer could send a record with a crafted retry_topic-attempts header to supply an out-of-range attempt count and cause the retry topic router to misidentify where the message was in the retry sequence. Affected versions: Spring for Apache Kafka 4.0.0 through 4.0.5; 3.3.0 through 3.3.15; 3.2.0 through 3.2.13; 2.9.0 through 2.9.13; 2.8.0 through 2.8.11.
Spring Framework
CVE-2026-41726 Jun 09, 2026
Spring-Kafka 2.8.0-4.0.5 OOM via DelegatingDeserializer When an application opts into DelegatingDeserializer, a producer can grow the consumer's heap without bound by sending records with unique random spring.kafka.serialization.selector header values, eventually causing GC thrash and OutOfMemoryError. Affected versions: Spring for Apache Kafka 4.0.0 through 4.0.5; 3.3.0 through 3.3.15; 3.2.0 through 3.2.13; 2.9.0 through 2.9.13; 2.8.0 through 2.8.11.
Spring Framework
CVE-2026-41721 Jun 09, 2026
Spring Data Commons DoS via @ProjectedPayload (4.0.5) Spring Data Commons contains a vulnerability that can lead to a Denial of Service (DoS) condition if Spring Data Web Support is enabled in conjunction with a Controller method using @ProjectedPayload, when an attacker sends a specially crafted HTTP request that causes the application to allocate lots of memory. Affected versions: Spring Data Commons 4.0.0 through 4.0.5; 3.5.0 through 3.5.11; 3.4.0 through 3.4.14; 3.3.0 through 3.3.16; 3.2.0 through 3.2.15; 3.1.0 through 3.1.14; 3.0.0 through 3.0.15; 2.7.0 through 2.7.19.
Spring Framework
CVE-2026-41719 Jun 09, 2026
Spring Data KeyValue/Redis SpEL Injection via Sort (4.0.5) A SpEL Injection vulnerability exists in the Spring Data KeyValue if unsanitized user input is passed as Sort into a repository query method that delegates evaluation to the SpelPropertyComparator. Affected versions: Spring Data KeyValue / Spring Data Redis 4.0.0 through 4.0.5; 3.5.0 through 3.5.11; 3.4.0 through 3.4.14; 3.3.0 through 3.3.16; 3.2.0 through 3.2.15; 3.1.0 through 3.1.14; 3.0.0 through 3.0.15; 2.7.0 through 2.7.19.
Spring Framework
CVE-2026-41717 Jun 09, 2026
Spring Data MongoDB 5.0.5 SpEL Injection via @Query capture-all Spring Data MongoDB contains a SpEL (Spring Expression Language) expression injection vulnerability. The issue occurs during parameter binding when a user-defined repository query method is annotated with @Query and utilizes a capture-all placeholder. Affected versions: Spring Data MongoDB 5.0.0 through 5.0.5; 4.5.0 through 4.5.11; 4.4.0 through 4.4.14; 4.3.0 through 4.3.16; 4.2.0 through 4.2.15; 4.1.0 through 4.1.14; 4.0.0 through 4.0.15; 3.4.0 through 3.4.19.
Spring Framework
CVE-2026-41716 Jun 09, 2026
Heap Exhaustion via Cache Key Leak in Spring Data Commons (2.7.0-4.0.5) Spring Data's internal property-lookup cache accepts and permanently retains attacker-supplied strings as cache keys, allowing heap exhaustion through repeated requests. Affected versions: Spring Data Commons 2.7.0 through 2.7.19; 3.3.0 through 3.3.16; 3.4.0 through 3.4.14; 3.5.0 through 3.5.11; 4.0.0 through 4.0.5.
Spring Framework
CVE-2026-41714 Jun 09, 2026
Spring AMQP TLS Bypass: AMQPS URI without SSL enabled (v2.4.04.0.3) Applications that configure their broker connection via RabbitConnectionFactoryBean.setUri("amqps://...") without also calling setUseSSL(true) get TLS encryption with no certificate validation and no hostname verification. Affected versions: Spring AMQP 4.0.0 through 4.0.3; 3.2.0 through 3.2.10; 3.1.0 through 3.1.15; 2.4.0 through 2.4.17.
Spring Framework
CVE-2026-41711 Jun 09, 2026
Spring Data Commons DoS via StackOverflowException (Sort) v2.74.0.5 Applications using Spring Data Commons may be vulnerable to a Denial of Service (DoS) attack leading to a StackOverflowException when parsing Sort parameters. Affected versions: Spring Data Commons 4.0.0 through 4.0.5; 3.5.0 through 3.5.11; 3.4.0 through 3.4.14; 3.3.0 through 3.3.16; 3.2.0 through 3.2.15; 3.1.0 through 3.1.14; 3.0.0 through 3.0.15; 2.7.0 through 2.7.19.
Spring Framework
CVE-2026-41706 Jun 09, 2026
Spring Security CookieRequestCache URL redirect without validation 5.7-7.0 Spring Security's CookieRequestCache and CookieServerRequestCache store the pre-authentication request URL in a browser cookie so that users can be redirected back to their intended destination after a successful login. In affected versions, the full absolute URL is stored in the cookie and is used without validation as the post-login redirect target. Affected versions: Spring Security 5.7.0 through 5.7.23; 5.8.0 through 5.8.25; 6.3.0 through 6.3.16; 6.4.0 through 6.4.16; 6.5.0 through 6.5.10; 7.0.0 through 7.0.5.
Spring Framework
CVE-2026-41701 Jun 09, 2026
Spring AMQP 4.0.3 correlation ID predictability in sendAndReceive() Correlation IDs for replies in the RabbitTemplate.sendAndReceive() with the fixed reply queue are predictable due to internal simple counter. Affected versions: Spring AMQP 4.0.0 through 4.0.3; 3.2.0 through 3.2.10; 3.1.0 through 3.1.15; 2.4.0 through 2.4.17.
Spring Framework
CVE-2026-41697 Jun 09, 2026
Spring Data Relational QBE StringMatcher SQLi (4.0.x-3.0.x) Spring Data Relational does not properly escape binding values of externally-controlled input when using StringMatcher (STARTING, ENDING, or CONTAINING) in Query By Example (QBE). An attacker can supply wildcard characters to perform boolean-based blind data inference. Affected versions: Spring Data Relational/JDBC/R2DBC 4.0.0 through 4.0.5; 3.5.0 through 3.5.11; 3.4.0 through 3.4.14; 3.3.0 through 3.3.16; 3.2.0 through 3.2.15; 3.1.0 through 3.1.14; 3.0.0 through 3.0.15; 2.4.0 through 2.4.19.
Spring Framework
CVE-2026-41696 Jun 09, 2026
Spring Data MongoDB <=5.0.5 Regex Injection via @Query Spring Data MongoDB repository query methods annotated with @Query that use regex parameter binding perform insufficient validation of the bound parameter. An attacker can supply a crafted string to break out of the intended regular expression quoting. Affected versions: Spring Data MongoDB 5.0.0 through 5.0.5; 4.5.0 through 4.5.11; 4.4.0 through 4.4.14; 4.3.0 through 4.3.16; 4.2.0 through 4.2.15; 4.1.0 through 4.1.14; 4.0.0 through 4.0.15; 3.4.0 through 3.4.19.
Spring Framework
CVE-2026-41695 Jun 09, 2026
Spring Data Commons 3.4-4.0.5 DoS via Property Path Exhaustion Spring Data Commons applications may be vulnerable to denial of service through resource exhaustion when attacker-controlled property path strings are passed to MappingContext property path resolution. Affected versions: Spring Data Commons 4.0.0 through 4.0.5; 3.5.0 through 3.5.11; 3.4.0 through 3.4.14.
Spring Framework
CVE-2026-41694 Jun 09, 2026
Spring Security SAML Decryption Oracle (v5.7-7.0.5) Since Spring Security SAML decrypts SAML Responses as well as elements of SAML LogoutRequests and LogoutResponses without requiring a valid signature, attackers may be able to craft these SAML payloads and use the Service Provider as a decryption oracle. Affected versions: Spring Security 5.7.0 through 5.7.23; 5.8.0 through 5.8.25; 6.3.0 through 6.3.16; 6.4.0 through 6.4.16; 6.5.0 through 6.5.10; 7.0.0 through 7.0.5.
Spring Framework
CVE-2026-41008 Jun 09, 2026
Spring Authorization Server <=7.0.5 Open Redirect via request_uri Spring Security Authorization Server's authorization endpoint performs insufficient validation of the request_uri parameter. An attacker can craft a malicious authorization request containing an invalid request_uri and an arbitrary, unvalidated redirect_uri, which can lead to an Open Redirect vulnerability. Affected versions: Spring Security 7.0.0 through 7.0.5. Spring Authorization Server 1.5.0 through 1.5.7.
Spring Framework
CVE-2026-41003 Jun 09, 2026
Spring Security 5.7-5.8,6.3-6.5,7.0 RelyingPartyRegistration XSS/Code Exec An attacker able to influence values in RelyingPartyRegistration may be able to run arbitrary code on HTML forms generated by Spring Security filters. Affected versions: Spring Security 5.7.0 through 5.7.23; 5.8.0 through 5.8.25; 6.3.0 through 6.3.16; 6.4.0 through 6.4.16; 6.5.0 through 6.5.10; 7.0.0 through 7.0.5.
Spring Framework
CVE-2026-40993 Jun 09, 2026
Spring Security 7.0.0-7.0.5 - Stored Serialized Payload via JdbcAPMRepo An attacker with write permissions to the database table managed by JdbcAssertingPartyMetadataRepository (saml2_asserting_party_metadata) may be able to store malicious serialized payloads in the columns containing the collection of verification or encryption credentials (verification_credentials and encryption_credentials, respectively). Affected versions: Spring Security 7.0.0 through 7.0.5.
Spring Framework
CVE-2026-40991 Jun 09, 2026
Spring REST Docs XXE via API Documentation Tests (v2.0.04.0.0) When using spring-restdocs-webtestclient or spring-restdocs-restassured to document a remote API accessed over HTTP, an attacker who compromises the API or tricks the user into documenting a malicious API can perform an XXE injection attack when the documentation-generating tests are next executed. Affected versions: Spring REST Docs 4.0.0; 3.0.0 through 3.0.5; 2.0.0.RELEASE through 2.0.8.RELEASE.
Spring Framework
CVE-2026-40988 Jun 09, 2026
Denial of Service in Spring Security SAML2-REDIRECT (5.7.07.0.5) An application using spring-security-saml2-service-provider and the REDIRECT binding for SAML 2.0 Login or Logout may be vulnerable to a denial of service by way of an unbounded writer that inflates the compressed SAML payload into memory. Affected versions: Spring Security 5.7.0 through 5.7.23; 5.8.0 through 5.8.25; 6.3.0 through 6.3.16; 6.4.0 through 6.4.16; 6.5.0 through 6.5.10; 7.0.0 through 7.0.5.
Spring Framework
CVE-2026-41007 Jun 09, 2026
Unbounded Static Cache in Spring HATEOAS 1.5.03.0.3 (SLR) Spring HATEOAS maintains an unbounded static cache of StringLinkRelation instances keyed on attacker-supplied strings. Affected versions: Spring HATEOAS 1.5.0 through 1.5.6; 2.3.0 through 2.3.4; 2.4.0 through 2.4.1; 2.5.0 through 2.5.2; 3.0.0 through 3.0.3.
Spring Framework
CVE-2026-41006 Jun 09, 2026
Spring HATEOAS 1.5.x-3.0.x: Unsafe Bean Binding via Reflection (CVE-2026-41006) Spring HATEOAS's internal PropertyUtils.createObjectFromProperties method, used by the Collection+JSON and UBER media type deserializers, performs bean property binding via reflection without consulting Jackson access-control annotations. Affected versions: Spring HATEOAS 1.5.0 through 1.5.6; 2.3.0 through 2.3.4; 2.4.0 through 2.4.1; 2.5.0 through 2.5.2; 3.0.0 through 3.0.3.
Spring Framework
CVE-2026-41844 Jun 09, 2026
Spring MVC/WebFlux /** Mapping 302 Redirect EIP (5.3-7.0) A Spring MVC or Spring WebFlux application which configures a mapping for "/**" where the view name is not explicitly specified allows an attacker to craft a link resulting in a 302 redirect to an arbitrary external host via the redirect: prefix. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
Spring Framework
CVE-2026-41842 Jun 09, 2026
Spring MVC/WebFlux Static Resource DoS 5.37.0.7 Spring MVC and WebFlux applications are vulnerable to Denial of Service (DoS) attacks when resolving static resources. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
Spring Framework
CVE-2026-41841 Jun 09, 2026
Info Disclosure via Static Resource Res in Spring Framework (v5.3-7.0) Spring MVC and WebFlux applications are vulnerable to Information Disclosure attacks when resolving static resources. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
Spring Framework
CVE-2026-41840 Jun 09, 2026
Spring WebFlux DoS via Multipart 5.37.0.7 Spring WebFlux applications are vulnerable to Denial of Service (DoS) attacks when processing multipart requests. Affected versions: Spring Framework 7.0.0 through 7.0.7, 6.2.0 through 6.2.18, 6.1.0 through 6.1.27, 5.3.0 through 5.3.48.
Spring Framework
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.