Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools

VMware by Broadcom

#dcf2e128-44bd-42ed-91e8-88f912c1401d, 862b2186-222f-48b9-af87-f1fb7bb26d03
PolicyEmail

Short Name

vmware

Program Role

CNA

Top Level Root

MITRE Corporation

Security Advisories

View Advisories

Domain

broadcom.com

Country

USA

Scope

VMware, Spring, and Cloud Foundry issues only.
Reported CVEsVendorsProductsReports
1046Vulnerabilities found

CVE-2026-47871
Assigner-VMware by Broadcom
ShareView Details
Assigner-VMware by Broadcom
CVSS Score-8.8||HIGH
EPSS-0.90% / 55.71%
||
7 Day CHG~0.00%
Published-18 Jul, 2026 | 08:57
Updated-18 Jul, 2026 | 09:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
VMware Avi Load Balancer Directory Traversal Vulnerability

VMware Avi Load Balancer contains a directory traversal vulnerability. Flaws in file path validation allow malicious, authenticated network users to perform directory traversal attacks. Affected versions: 32.1.1 (fixed in 32.1.2) 31.1.1 through 31.2.2 (fixed in 31.2.2-2p3) 30.1.1 through 30.2.6 (fixed in 30.2.7) 22.1.1 through 22.1.7 (fixed in 30.2.7)

Action-Not Available
Vendor-VMware (Broadcom Inc.)
Product-Avi Load Balancer
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2026-47870
Assigner-VMware by Broadcom
ShareView Details
Assigner-VMware by Broadcom
CVSS Score-7.1||HIGH
EPSS-0.39% / 31.32%
||
7 Day CHG~0.00%
Published-18 Jul, 2026 | 08:57
Updated-18 Jul, 2026 | 09:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
VMware Avi Load Balancer Privilege Escalation Vulnerability

VMware Avi Load Balancer contains a privilege escalation vulnerability. A malicious authenticated user with network access may be able to execute remote code. Affected versions: 32.1.1 (fixed in 32.1.2) 31.1.1 through 31.2.2 (fixed in 31.2.2-2p3) 30.1.1 through 30.2.6 (fixed in 30.2.7) 22.1.1 through 22.1.7 (fixed in 30.2.7)

Action-Not Available
Vendor-VMware (Broadcom Inc.)
Product-Avi Load Balancer
CWE ID-CWE-269
Improper Privilege Management
CVE-2026-47869
Assigner-VMware by Broadcom
ShareView Details
Assigner-VMware by Broadcom
CVSS Score-8.7||HIGH
EPSS-0.68% / 48.35%
||
7 Day CHG~0.00%
Published-18 Jul, 2026 | 08:57
Updated-18 Jul, 2026 | 09:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
VMware Avi Load Balancer Remote Code Execution Vulnerability

VMware Avi Load Balancer contains a remote code execution vulnerability. A malicious authenticated user with network access may be able to inject and execute code. Affected versions: 32.1.1 (fixed in 32.1.2) 31.1.1 through 31.2.2 (fixed in 31.2.2-2p3) 30.1.1 through 30.2.6 (fixed in 30.2.7) 22.1.1 through 22.1.7 (fixed in 30.2.7)

Action-Not Available
Vendor-VMware (Broadcom Inc.)
Product-Avi Load Balancer
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-47868
Assigner-VMware by Broadcom
ShareView Details
Assigner-VMware by Broadcom
CVSS Score-7.8||HIGH
EPSS-0.15% / 4.40%
||
7 Day CHG~0.00%
Published-18 Jul, 2026 | 08:57
Updated-18 Jul, 2026 | 09:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
VMware Avi Load Balancer Local Privilege Escalation Vulnerability

VMware Avi Load Balancer contains a local privilege escalation vulnerability. A malicious user with local access may be able to escalate their privileges to run code as root. Affected versions: 32.1.1 (fixed in 32.1.2) 31.1.1 through 31.2.2 (fixed in 31.2.2-2p3) 30.1.1 through 30.2.6 (fixed in 30.2.7) 22.1.1 through 22.1.7 (fixed in 30.2.7)

Action-Not Available
Vendor-VMware (Broadcom Inc.)
Product-Avi Load Balancer
CWE ID-CWE-269
Improper Privilege Management
CVE-2026-47867
Assigner-VMware by Broadcom
ShareView Details
Assigner-VMware by Broadcom
CVSS Score-8.7||HIGH
EPSS-0.68% / 48.35%
||
7 Day CHG~0.00%
Published-18 Jul, 2026 | 08:57
Updated-18 Jul, 2026 | 09:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
VMware Avi Load Balancer Remote Code Execution Vulnerability

VMware Avi Load Balancer contains a remote code execution vulnerability. A malicious user with network access may be able to access the Avi Control plane and execute code remotely. Affected versions: 32.1.1 (fixed in 32.1.2) 31.1.1 through 31.2.2 (fixed in 31.2.2-2p3) 30.1.1 through 30.2.6 (fixed in 30.2.7) 22.1.1 through 22.1.7 (fixed in 30.2.7)

Action-Not Available
Vendor-VMware (Broadcom Inc.)
Product-Avi Load Balancer
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-47866
Assigner-VMware by Broadcom
ShareView Details
Assigner-VMware by Broadcom
CVSS Score-8.3||HIGH
EPSS-0.43% / 34.54%
||
7 Day CHG~0.00%
Published-18 Jul, 2026 | 08:57
Updated-18 Jul, 2026 | 09:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
VMware Avi Load Balancer Authorization Bypass Vulnerability

VMware Avi Load Balancer contains an authorization bypass vulnerability. A malicious actor on the network can access a limited subset of the Avi Control Plane without proper authorization. Affected versions: 32.1.1 (fixed in 32.1.2) 31.1.1 through 31.2.2 (fixed in 31.2.2-2p3) 30.1.1 through 30.2.6 (fixed in 30.2.7) 22.1.1 through 22.1.7 (fixed in 30.2.7)

Action-Not Available
Vendor-VMware (Broadcom Inc.)
Product-Avi Load Balancer
CWE ID-CWE-863
Incorrect Authorization
CVE-2026-47865
Assigner-VMware by Broadcom
ShareView Details
Assigner-VMware by Broadcom
CVSS Score-9.8||CRITICAL
EPSS-0.66% / 47.67%
||
7 Day CHG~0.00%
Published-18 Jul, 2026 | 08:57
Updated-18 Jul, 2026 | 09:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
VMware Avi Load Balancer Authentication Bypass Vulnerability

VMware Avi Load Balancer contains an authentication bypass vulnerability. A malicious user with network access may be able to access the Avi Control plane by bypassing the authentication mechanism. Affected versions: 31.1.1 through 31.2.2 (fixed in 31.2.2-2p3) 30.1.1 through 30.2.6 (fixed in 30.2.7) 22.1.1 through 22.1.7 (fixed in 30.2.7)

Action-Not Available
Vendor-VMware (Broadcom Inc.)
Product-Avi Load Balancer
CWE ID-CWE-287
Improper Authentication
CVE-2026-22752
Assigner-VMware by Broadcom
ShareView Details
Assigner-VMware by Broadcom
CVSS Score-9.6||CRITICAL
EPSS-0.43% / 34.48%
||
7 Day CHG~0.00%
Published-16 Jul, 2026 | 08:40
Updated-16 Jul, 2026 | 13:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Spring Security Authorization Server Dynamic Client Registration endpoints perform insufficient validation of client metadata

Authentication bypass by primary weakness vulnerability in Spring Security Spring Authorization Server. This issue affects Spring Authorization Server: from 7.0.0 through 7.0.4, from 1.5.0 through 1.5.6, from 1.4.0 through 1.4.9, from 1.3.0 through 1.3.10.

Action-Not Available
Vendor-Spring Security
Product-Spring Authorization Server
CVE-2026-59269
Assigner-VMware by Broadcom
ShareView Details
Assigner-VMware by Broadcom
CVSS Score-3.8||LOW
EPSS-0.17% / 6.64%
||
7 Day CHG~0.00%
Published-09 Jul, 2026 | 07:12
Updated-09 Jul, 2026 | 16:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Privilege Escalation via Active Directory LDAP injection in Pinniped Supervisor can be executed by an attacker who can edit LDAP Group DN entries

A user authenticating to Kubernetes clusters via the Pinniped Supervisor could potentially gain elevated permissions in the clusters, only if all the following conditions were true: the Pinniped Supervisor server is running with an ActiveDirectoryIdentityProvider resource configured; the ActiveDirectoryIdentityProvider.spec.groupSearch.attributes.groupName is empty; the attacker gains the ability to edit some part of the distinguished name (DN) of group entries in the Active Directory (AD) server's database for groups to which they belong; the configured group search parameters cause the edited group to be included in the group search results for the user; and the attacker knows the password for an AD user who belongs to the edited AD group. Affected versions: Pinniped (go.pinniped.dev) v0.11.0 through v0.46.0 inclusive; fixed in v0.47.0.

Action-Not Available
Vendor-VMware (Broadcom Inc.)
Product-Pinniped
CWE ID-CWE-20
Improper Input Validation
CVE-2026-47840
Assigner-VMware by Broadcom
ShareView Details
Assigner-VMware by Broadcom
CVSS Score-8.3||HIGH
EPSS-0.13% / 3.16%
||
7 Day CHG~0.00%
Published-09 Jul, 2026 | 06:26
Updated-09 Jul, 2026 | 16:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
LDAP StartTLS unconditionally disables hostname verification

A network attacker positioned between UAA and its LDAP directory can impersonate the directory using any certificate from any trusted CA, then harvest the LDAP bind password and every end-user password sent during simple-bind authentication, and return forged group memberships that grant themselves admin scopes. This affects every deployment that authenticates users against LDAP over StartTLS. Affected versions: UAA versions prior to v78.13.0; Cf-deployment versions prior to v56.2.0.

Action-Not Available
Vendor-CloudFoundry Foundation
Product-UAACf-deployment
CWE ID-CWE-297
Improper Validation of Certificate with Host Mismatch
CVE-2026-47831
Assigner-VMware by Broadcom
ShareView Details
Assigner-VMware by Broadcom
CVSS Score-7.7||HIGH
EPSS-0.19% / 8.87%
||
7 Day CHG~0.00%
Published-09 Jul, 2026 | 06:26
Updated-09 Jul, 2026 | 16:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cryptographically Weak Password Generation in bosh-windows-stemcell-builder Allows Remote SSH Brute-Force Attacks

Use of a cryptographically weak random number generator in the GenerateRandomPassword function in bosh-windows-stemcell-builder allows a remote attacker to brute-force the resulting SSH login via TCP/22. Affected versions: bosh-windows-stemcell-builder versions prior to v2019.98.

Action-Not Available
Vendor-Cloud Foundry Foundation
Product-bosh-windows-stemcell-builder
CWE ID-CWE-338
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
CVE-2026-47830
Assigner-VMware by Broadcom
ShareView Details
Assigner-VMware by Broadcom
CVSS Score-8.5||HIGH
EPSS-0.10% / 1.06%
||
7 Day CHG~0.00%
Published-09 Jul, 2026 | 06:25
Updated-09 Jul, 2026 | 16:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Incorrect Permission Assignment Allows Local Privilege Escalation to SYSTEM via Executable Overwrite

Incorrect Permission Assignment in BOSH.Utils.psm1 in BOSH-Ecosystem bosh-windows-stemcell-builder allows low-privilege authenticated users to overwrite C:\bosh\service_wrapper.exe or C:\bosh\bosh-agent.exe and gain NT AUTHORITY\SYSTEM on the next service restart or reboot. This can lead to full host control. Affected versions: bosh-windows-stemcell-builder versions prior to v2019.98.

Action-Not Available
Vendor-Cloud Foundry Foundation
Product-bosh-windows-stemcell-builder
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2026-47829
Assigner-VMware by Broadcom
ShareView Details
Assigner-VMware by Broadcom
CVSS Score-7.7||HIGH
EPSS-0.22% / 13.08%
||
7 Day CHG-0.07%
Published-09 Jul, 2026 | 06:25
Updated-13 Jul, 2026 | 13:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Argument Injection in BOSH CLI Allows Local Command Execution on Operator Workstations via Compromised Director

Argument Injection in bosh-cli allows a compromised BOSH Director to inject arbitrary OpenSSH options into the locally-spawned ssh process when an operator runs bosh ssh -c, bosh logs -f, or other non-interactive SSH paths, leading to local command execution on the operator's workstation. Affected versions: bosh-cli versions prior to v7.10.4.

Action-Not Available
Vendor-CloudFoundry FoundationCloud Foundry
Product-bosh_clibosh-cli
CWE ID-CWE-88
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
CVE-2026-47828
Assigner-VMware by Broadcom
ShareView Details
Assigner-VMware by Broadcom
CVSS Score-8.9||HIGH
EPSS-0.15% / 4.43%
||
7 Day CHG+0.06%
Published-09 Jul, 2026 | 06:07
Updated-13 Jul, 2026 | 13:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Missing TLS Certificate Verification in BOSH CLI Allows Root Code Execution via Man-in-the-Middle Credential Replay

During bosh create-env and bosh delete-env, the CLI uploads compiled CPI packages and rendered job templates to the new VM's DAV blobstore over HTTPS without verifying the server certificate, even though a CA certificate for that endpoint is available in the installation manifest. A network attacker can terminate the TLS connection, harvest the Basic-auth credentials, and read the rendered-templates archive containing every bootstrap secret for the new BOSH Director, then replay the credentials against the real VM's agent for root code execution. Affected versions: bosh-cli versions prior to v7.10.4.

Action-Not Available
Vendor-BOSH-Ecosystem / BOSH (bosh-cli)Cloud Foundry
Product-bosh_clibosh-cli
CWE ID-CWE-295
Improper Certificate Validation
CVE-2026-47826
Assigner-VMware by Broadcom
ShareView Details
Assigner-VMware by Broadcom
CVSS Score-8.5||HIGH
EPSS-0.34% / 25.86%
||
7 Day CHG+0.01%
Published-09 Jul, 2026 | 05:45
Updated-13 Jul, 2026 | 13:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
blobs.yaml Path Traversal Allows File Writes

The blobs.yml path key traversal vulnerability in the BOSH CLI tool allows an attacker to write arbitrary files and exfiltrate sensitive information. Affected versions: BOSH CLI tool versions prior to v7.10.4.

Action-Not Available
Vendor-CloudFoundry FoundationCloud Foundry
Product-bosh_cliBOSH CLI tool
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2026-41857
Assigner-VMware by Broadcom
ShareView Details
Assigner-VMware by Broadcom
CVSS Score-7.1||HIGH
EPSS-0.15% / 4.44%
||
7 Day CHG~0.00%
Published-09 Jul, 2026 | 04:31
Updated-13 Jul, 2026 | 13:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
BOSH CLI Shell Injection

A compromised or malicious BOSH Director can execute arbitrary shell commands on the operator's workstation when the operator runs bosh ssh (or bosh scp/bosh logs -f) with default flags. Affected versions: BOSH CLI versions prior to 7.10.5.

Action-Not Available
Vendor-CloudFoundry BOSHCloud Foundry
Product-bosh_cliBOSH CLI
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2026-41862
Assigner-VMware by Broadcom
ShareView Details
Assigner-VMware by Broadcom
CVSS Score-8.8||HIGH
EPSS-0.42% / 34.37%
||
7 Day CHG~0.00%
Published-23 Jun, 2026 | 20:59
Updated-25 Jun, 2026 | 19:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Spring Statemachine's Kryo-based persistence backends (JPA, MongoDB, Redis and ZooKeeper) deserialise persisted state-machine contexts without enforcing a class allowlist (CWE-502, deserialisation of untrusted data), which can lead to remote code execution inside the application JVM. Affected versions: Spring Statemachine 4.0.0 through 4.0.1 Spring Statemachine 3.2.0 through 3.2.4

Action-Not Available
Vendor-VMware (Broadcom Inc.)
Product-Spring Statemachine
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-47846
Assigner-VMware by Broadcom
ShareView Details
Assigner-VMware by Broadcom
CVSS Score-9.8||CRITICAL
EPSS-0.34% / 25.96%
||
7 Day CHG~0.00%
Published-18 Jun, 2026 | 18:39
Updated-18 Jun, 2026 | 21:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Bitnami Cassandra container images are affected by a retained default superuser vulnerability. When a custom administrator account is configured via the CASSANDRA_USER environment variable, the container initialization script creates the new superuser account but fails to drop the built-in cassandra account in certain scenarios. This leaves the default cassandra:cassandra superuser active as an unintended access path. Affected versions — Container image: 4.0.x prior to 4.0.20-photon-5-r7; 4.1.x prior to 4.1.11-photon-5-r7; 5.0.x prior to 5.0.8-photon-5-r4 / 5.0.8-debian-12-r3.

Action-Not Available
Vendor-Bitnami
Product-bitnami/cassandra
CWE ID-CWE-798
Use of Hard-coded Credentials
CVE-2026-47847
Assigner-VMware by Broadcom
ShareView Details
Assigner-VMware by Broadcom
CVSS Score-5.3||MEDIUM
EPSS-0.19% / 8.48%
||
7 Day CHG~0.00%
Published-18 Jun, 2026 | 18:37
Updated-18 Jun, 2026 | 21:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Bitnami MariaDB Galera container images and Helm chart are affected by a hardcoded default credential vulnerability in the Galera replication health-check user. The MARIADB_REPLICATION_USER and MARIADB_REPLICATION_PASSWORD environment variables defaulted to monitor and monitor respectively. This user is granted REPLICATION CLIENT privileges from any host ('%'). The Bitnami Helm chart for MariaDB Galera did not expose parameters to configure this user's credentials, resulting in all chart deployments using this publicly known credential by default. Affected versions — Container image: 10.6.x prior to 10.6.27-photon-5-r0; 10.11.x prior to 10.11.17-photon-5-r1; 11.4.x prior to 11.4.12-photon-5-r0; 11.8.x prior to 11.8.7-photon-5-r1; 12.3.x prior to 12.3.2-photon-5-r0 / 12.3.2-debian-12-r0. Helm chart: prior to 18.3.0.

Action-Not Available
Vendor-Bitnami
Product-bitnami/mariadb-galerabitnami/mariadb-galera Helm chart
CWE ID-CWE-798
Use of Hard-coded Credentials
CVE-2026-47833
Assigner-VMware by Broadcom
ShareView Details
Assigner-VMware by Broadcom
CVSS Score-6.8||MEDIUM
EPSS-0.12% / 2.57%
||
7 Day CHG~0.00%
Published-18 Jun, 2026 | 18:30
Updated-18 Jun, 2026 | 20:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

setupBpmLogs follows symlink for bpm.log open and chown — container-to-host privilege escalation via /etc/shadow. A compromised process inside a bpm container can cause root to chown an arbitrary host file to vcap and append bpm JSON log lines to it. The chown alone lets the attacker take ownership of /etc/shadow and read every password hash on the host via the read-only /etc bind mount. This is a container-to-host confidentiality break affecting every bpm-managed job. Affected versions: bpm-release, all versions prior to v1.4.30.

Action-Not Available
Vendor-Cloud Foundry Foundation
Product-bpm-release
CWE ID-CWE-59
Improper Link Resolution Before File Access ('Link Following')
CVE-2026-47825
Assigner-VMware by Broadcom
ShareView Details
Assigner-VMware by Broadcom
CVSS Score-8.6||HIGH
EPSS-0.14% / 3.68%
||
7 Day CHG~0.00%
Published-15 Jun, 2026 | 19:34
Updated-23 Jun, 2026 | 21:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Spring Cloud Gateway Server Forwards Headers from Untrusted Proxies in certain situations

Spring Cloud Gateway Server forwards the X-Forwarded-For and Forwarded headers from untrusted proxies in certain configuration scenarios. This affects both the WebMVC and WebFlux Gateway Servers. Affected versions: Spring Cloud Gateway 3.1.x (fix 3.1.13). Spring Cloud Gateway 4.1.x (fix 4.1.13). Spring Cloud Gateway 4.2.x (fix 4.2.9). Spring Cloud Gateway 4.3.x (fix 4.3.5). Spring Cloud Gateway 5.0.x (fix 5.0.2).

Action-Not Available
Vendor-VMware (Broadcom Inc.)
Product-Spring Cloud Gateway
CWE ID-CWE-346
Origin Validation Error
CVE-2026-41708
Assigner-VMware by Broadcom
ShareView Details
Assigner-VMware by Broadcom
CVSS Score-7.5||HIGH
EPSS-0.28% / 19.75%
||
7 Day CHG~0.00%
Published-15 Jun, 2026 | 18:54
Updated-15 Jun, 2026 | 20:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Spring Cloud Sleuth instrumentation of Spring TX DoS vulnerability

In Spring Cloud Sleuth, it is possible for a user to provide specially crafted calls that may cause a denial-of-service (DoS) condition. The application is vulnerable when it uses a vulnerable version of org.springframework.cloud:spring-cloud-sleuth-instrumentation and Spring TX instrumentation is not disabled. Affected versions: Spring Cloud Sleuth 3.1.0 through 3.1.13.

Action-Not Available
Vendor-VMware (Broadcom Inc.)
Product-Spring Cloud Sleuth
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2026-47835
Assigner-VMware by Broadcom
ShareView Details
Assigner-VMware by Broadcom
CVSS Score-8.6||HIGH
EPSS-0.25% / 16.75%
||
7 Day CHG~0.00%
Published-15 Jun, 2026 | 18:54
Updated-15 Jun, 2026 | 20:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Spring AI vector store metadata filtering to handle special characters in Elasticsearch, OpenSearch, and GemFire Vector Stores

In Spring AI Vector Stores, special characters could be used to force the execution of arbitrary queries in Elasticsearch, OpenSearch, and GemFire VectorDB. Affected components: spring-ai-elasticsearch-store, spring-ai-opensearch-store, spring-ai-gemfire-store. Affected versions: Spring AI 1.0.0 through 1.0.x (fix 1.0.9). Spring AI 1.1.0 through 1.1.x (fix 1.1.8).

Action-Not Available
Vendor-VMware (Broadcom Inc.)
Product-Spring AI
CWE ID-CWE-943
Improper Neutralization of Special Elements in Data Query Logic
CVE-2026-41005
Assigner-VMware by Broadcom
ShareView Details
Assigner-VMware by Broadcom
CVSS Score-9||CRITICAL
EPSS-0.13% / 3.07%
||
7 Day CHG~0.00%
Published-11 Jun, 2026 | 20:03
Updated-13 Jun, 2026 | 03:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
UAA accepts SAML Encrypted Assertions authentication bypass

Cloud Foundry UAA incorrectly treated XML encryption to the Service Provider (confidentiality) as a substitute for XML signatures from the Identity Provider (authenticity) in two SAML flows: the OAuth 2.0 SAML2 bearer grant (token endpoint) and browser SSO (ACS) when wantAssertionSigned is set to false. Assertions or responses that were unsigned but contained encrypted content could still be accepted. Encryption uses the SP's public key from published metadata, therefore, any party, not only a trusted IdP, can produce ciphertext UAA can decrypt; successful decryption therefore does not prove the IdP issued the message. Affected versions: Cloud Foundry UAA (uaa_release) 2.0.0 through 78.13.0. Cloud Foundry CF Deployment all versions through 56.1.0.

Action-Not Available
Vendor-Cloud Foundry
Product-UAACF Deployment
CWE ID-CWE-347
Improper Verification of Cryptographic Signature
CVE-2026-41856
Assigner-VMware by Broadcom
ShareView Details
Assigner-VMware by Broadcom
CVSS Score-7.5||HIGH
EPSS-0.35% / 27.45%
||
7 Day CHG~0.00%
Published-11 Jun, 2026 | 05:05
Updated-17 Jul, 2026 | 20:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Spring GraphQL Annotation Detection Vulnerability

The Spring GraphQL annotation detection mechanism for @Controller data fetchers may not correctly resolve annotations on methods within type hierarchies. This can be an issue if such annotations are used for authorization decisions. When all conditions are met, security annotations can be ignored at runtime. Affected versions: Spring for GraphQL 2.0.0 through 2.0.3; 1.4.0 through 1.4.5; 1.3.0 through 1.3.8; 1.0.0 through 1.0.6.

Action-Not Available
Vendor-VMware (Broadcom Inc.)
Product-spring_for_graphqlSpring for GraphQL
CWE ID-CWE-284
Improper Access Control
CVE-2026-41700
Assigner-VMware by Broadcom
ShareView Details
Assigner-VMware by Broadcom
CVSS Score-8.1||HIGH
EPSS-0.18% / 7.91%
||
7 Day CHG~0.00%
Published-11 Jun, 2026 | 05:04
Updated-17 Jul, 2026 | 20:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-Site WebSocket Hijacking in Spring for GraphQL

Spring for GraphQL applications that have enabled the WebSocket transport are vulnerable to Cross-Site WebSocket Hijacking. An attacker can trick an authenticated user into visiting a malicious page, allowing the attacker to execute arbitrary GraphQL operations with the victim's credentials. Affected versions: Spring for GraphQL 2.0.0 through 2.0.3; 1.4.0 through 1.4.5; 1.3.0 through 1.3.8; 1.0.0 through 1.0.6.

Action-Not Available
Vendor-VMware (Broadcom Inc.)
Product-spring_for_graphqlSpring for GraphQL
CWE ID-CWE-346
Origin Validation Error
CVE-2026-41699
Assigner-VMware by Broadcom
ShareView Details
Assigner-VMware by Broadcom
CVSS Score-8.1||HIGH
EPSS-0.43% / 34.86%
||
7 Day CHG~0.00%
Published-11 Jun, 2026 | 05:04
Updated-17 Jul, 2026 | 20:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unsafe Deserialization in Spring GraphQL

Spring for GraphQL applications are vulnerable to Unsafe Deserialization when processing paginated GraphQL queries. An attacker can craft a malicious GraphQL request that can lead to Remote Code Execution when the application exposes a paginated (Connection) field and the classpath contains specific classes that can be leveraged during deserialization. Affected versions: Spring for GraphQL 2.0.0 through 2.0.3; 1.4.0 through 1.4.5; 1.3.0 through 1.3.8.

Action-Not Available
Vendor-VMware (Broadcom Inc.)
Product-spring_for_graphqlSpring for GraphQL
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-41001
Assigner-VMware by Broadcom
ShareView Details
Assigner-VMware by Broadcom
CVSS Score-5.3||MEDIUM
EPSS-0.09% / 0.77%
||
7 Day CHG~0.00%
Published-11 Jun, 2026 | 05:04
Updated-23 Jun, 2026 | 21:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Predictable Temp Directory in Artemis Auto-configuration

Spring Boot's ArtemisEmbeddedConfigurationFactory uses a fixed, static path for the embedded Artemis message broker's data directory when no explicit path is configured. A local attacker on the same host can pre-create this predictable directory or place a symlink before the application starts. Affected versions: Spring Boot 4.0.0 through 4.0.6; 3.5.0 through 3.5.14; 3.4.0 through 3.4.16; 3.3.0 through 3.3.19; 2.7.0 through 2.7.33.

Action-Not Available
Vendor-VMware (Broadcom Inc.)
Product-Spring Boot
CWE ID-CWE-377
Insecure Temporary File
CVE-2026-41000
Assigner-VMware by Broadcom
ShareView Details
Assigner-VMware by Broadcom
CVSS Score-3.7||LOW
EPSS-0.22% / 12.85%
||
7 Day CHG~0.00%
Published-11 Jun, 2026 | 05:04
Updated-23 Jun, 2026 | 21:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WSS4J validation does not use configured replay cache

Wss4jSecurityInterceptor did not consistently wire Apache WSS4J ReplayCache instances into RequestData for validation-time checks. As a result, protections against replay of UsernameToken nonces and creation timestamps, Timestamp elements, and certain SAML one-time-use semantics could be ineffective even when operators configured a replay cache on the interceptor. Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.

Action-Not Available
Vendor-VMware (Broadcom Inc.)
Product-Spring Web Services
CWE ID-CWE-294
Authentication Bypass by Capture-replay
CVE-2026-40999
Assigner-VMware by Broadcom
ShareView Details
Assigner-VMware by Broadcom
CVSS Score-8.6||HIGH
EPSS-0.38% / 30.54%
||
7 Day CHG~0.00%
Published-11 Jun, 2026 | 05:04
Updated-23 Jun, 2026 | 21:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Spring WS SSRF via unvalidated WS-Addressing reply destinations

When WS-Addressing is used with non-anonymous ReplyTo or FaultTo addresses, Spring WS may initiate outbound connections through configured WebServiceMessageSender instances to destinations taken directly from request headers without verifying that those destinations are safe to connect to. Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.

Action-Not Available
Vendor-VMware (Broadcom Inc.)
Product-Spring Web Services
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-40998
Assigner-VMware by Broadcom
ShareView Details
Assigner-VMware by Broadcom
CVSS Score-8.2||HIGH
EPSS-0.35% / 27.47%
||
7 Day CHG~0.00%
Published-11 Jun, 2026 | 05:04
Updated-23 Jun, 2026 | 21:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Jaxp13 XPath XXE via StreamSource and SAXSource

Jaxp13XPathTemplate evaluated XPath expressions for StreamSource and SAXSource inputs using a code path that parsed attacker-controlled XML with the JDK's default DocumentBuilderFactory behavior instead of Spring's hardened parser configuration. Applications that evaluate XPath against untrusted XML payloads could therefore be exposed to XML External Entity (XXE) style attacks. Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.

Action-Not Available
Vendor-VMware (Broadcom Inc.)
Product-Spring Web Services
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2026-40997
Assigner-VMware by Broadcom
ShareView Details
Assigner-VMware by Broadcom
CVSS Score-5.3||MEDIUM
EPSS-0.37% / 28.83%
||
7 Day CHG~0.00%
Published-11 Jun, 2026 | 05:04
Updated-23 Jun, 2026 | 21:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SOAP security faults leak Spring Security account state

Several Spring WS integration paths with Spring Security could surface detailed account state (for example locked or disabled user semantics) to remote SOAP clients through exception messages or callback outcomes, instead of failing with generic authentication errors. That behavior assists remote attackers in distinguishing valid accounts from invalid ones and inferring lifecycle state. Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.

Action-Not Available
Vendor-VMware (Broadcom Inc.)
Product-Spring Web Services
CWE ID-CWE-209
Generation of Error Message Containing Sensitive Information
CVE-2026-40996
Assigner-VMware by Broadcom
ShareView Details
Assigner-VMware by Broadcom
CVSS Score-4.8||MEDIUM
EPSS-0.13% / 2.89%
||
7 Day CHG~0.00%
Published-11 Jun, 2026 | 05:04
Updated-23 Jun, 2026 | 21:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Inbound WS-Security allows RSA PKCS#1 v1.5 key transport by default

Wss4jSecurityInterceptor defaulted allowRSA15KeyTransportAlgorithm to true, overriding Apache WSS4J's safer default for validation RequestData. Inbound WS-Security decryption could therefore accept RSA PKCS#1 v1.5 (rsa-1_5) encrypted key material unless operators explicitly reconfigured the flag. Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.

Action-Not Available
Vendor-VMware (Broadcom Inc.)
Product-Spring Web Services
CWE ID-CWE-327
Use of a Broken or Risky Cryptographic Algorithm
CVE-2026-40995
Assigner-VMware by Broadcom
ShareView Details
Assigner-VMware by Broadcom
CVSS Score-5.4||MEDIUM
EPSS-0.15% / 4.46%
||
7 Day CHG~0.00%
Published-11 Jun, 2026 | 05:04
Updated-23 Jun, 2026 | 21:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
X.509 authentication bypasses Spring Security account checks

X509AuthenticationProvider could issue a fully authenticated X509AuthenticationToken when a presented certificate mapped to UserDetails, without applying Spring Security's standard account lifecycle checks (disabled, locked, expired, or credentials-expired accounts). Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.

Action-Not Available
Vendor-VMware (Broadcom Inc.)
Product-Spring Web Services
CWE ID-CWE-287
Improper Authentication
CVE-2026-40994
Assigner-VMware by Broadcom
ShareView Details
Assigner-VMware by Broadcom
CVSS Score-8.2||HIGH
EPSS-0.23% / 13.73%
||
7 Day CHG~0.00%
Published-11 Jun, 2026 | 05:03
Updated-23 Jun, 2026 | 21:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Wss4jSecurityInterceptor disables WS-I BSP validation by default

Wss4jSecurityInterceptor initialized its BSP (WS-I Basic Security Profile) compliance flag so that inbound validation disabled WSS4J BSP enforcement on RequestData. Services that validate WS-Security on the network could therefore accept messages that violate BSP rules, weakening protocol-level checks. Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.

Action-Not Available
Vendor-VMware (Broadcom Inc.)
Product-Spring Web Services
CWE ID-CWE-1188
Initialization of a Resource with an Insecure Default
CVE-2026-40992
Assigner-VMware by Broadcom
ShareView Details
Assigner-VMware by Broadcom
CVSS Score-5||MEDIUM
EPSS-0.12% / 2.49%
||
7 Day CHG~0.00%
Published-11 Jun, 2026 | 05:03
Updated-23 Jun, 2026 | 21:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Mail Auto-Configuration Does Not Enable SSL Hostname Verification

Spring Boot's Mail auto-configuration does not enable hostname verification. Applications that set the relevant JavaMail property, such as spring.mail.properties.mail.smtp.ssl.checkserveridentity=true, are not affected. Affected versions: Spring Boot 4.0.0 through 4.0.6; 3.5.0 through 3.5.14; 3.4.0 through 3.4.16.

Action-Not Available
Vendor-VMware (Broadcom Inc.)
Product-Spring Boot
CWE ID-CWE-295
Improper Certificate Validation
CVE-2026-40987
Assigner-VMware by Broadcom
ShareView Details
Assigner-VMware by Broadcom
CVSS Score-7.1||HIGH
EPSS-0.21% / 11.25%
||
7 Day CHG~0.00%
Published-11 Jun, 2026 | 05:03
Updated-23 Jun, 2026 | 21:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Remote-file synchronizer in Spring Integration writes server-supplied filename under localDirectory without canonicalization

A malicious or compromised FTP/SFTP/SMB server can write arbitrary files anywhere on the client filesystem (outside the configured local-directory) with attacker-controlled content. Affected versions: Spring Integration 7.0.0 through 7.0.4; 6.5.0 through 6.5.8; 6.4.0 through 6.4.11; 6.3.0 through 6.3.14; 5.5.0 through 5.5.20.

Action-Not Available
Vendor-VMware (Broadcom Inc.)
Product-Spring Integration
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2026-40986
Assigner-VMware by Broadcom
ShareView Details
Assigner-VMware by Broadcom
CVSS Score-4.8||MEDIUM
EPSS-0.20% / 10.17%
||
7 Day CHG~0.00%
Published-11 Jun, 2026 | 05:03
Updated-23 Jun, 2026 | 21:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Spring Web Flow JS RemotingHandler renders non-HTML Response as HTML

Spring Web Flow's JavaScript RemotingHandler renders the body of an error response as HTML even when the response is not "text/html", which can result in a scripting attack in the user's browser if the error response from the server contains error details with input reflected from an attacker. Affected versions: Spring Web Flow 4.0.0; 3.0.0 through 3.0.1; 2.5.0 through 2.5.1.

Action-Not Available
Vendor-VMware (Broadcom Inc.)
Product-Spring Web Flow
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-40985
Assigner-VMware by Broadcom
ShareView Details
Assigner-VMware by Broadcom
CVSS Score-6.4||MEDIUM
EPSS-0.22% / 13.11%
||
7 Day CHG~0.00%
Published-11 Jun, 2026 | 05:02
Updated-23 Jun, 2026 | 20:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Data Binding Vulnerability in Spring Web Flow with Unified EL Parser

Applications that configure the WebFlowELExpressionParser are vulnerable to the use of malicious Unified EL expressions. Affected versions: Spring Web Flow 4.0.0; 3.0.0 through 3.0.1; 2.5.0 through 2.5.1.

Action-Not Available
Vendor-VMware (Broadcom Inc.)
Product-Spring Web Flow
CWE ID-CWE-917
Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
CVE-2026-47838
Assigner-VMware by Broadcom
ShareView Details
Assigner-VMware by Broadcom
CVSS Score-6.8||MEDIUM
EPSS-0.12% / 1.90%
||
7 Day CHG~0.00%
Published-09 Jun, 2026 | 23:50
Updated-30 Jun, 2026 | 22:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unauthorized User Impersonation when Using X.509 Client Certificates

SubjectDnX509PrincipalExtractor does not correctly handle certain malformed X.509 certificate CN values, which can lead to reading the wrong value for the username. In a carefully crafted certificate, this can lead to an attacker impersonating another user. Affected versions: Spring Security 5.7.0 through 5.7.24; 5.8.0 through 5.8.26; 6.3.0 through 6.3.17; 6.4.0 through 6.4.17; 6.5.0 through 6.5.10.

Action-Not Available
Vendor-VMware (Broadcom Inc.)
Product-spring_securitySpring Security
CWE ID-CWE-287
Improper Authentication
CVE-2026-41837
Assigner-VMware by Broadcom
ShareView Details
Assigner-VMware by Broadcom
CVSS Score-5.3||MEDIUM
EPSS-0.19% / 8.91%
||
7 Day CHG~0.00%
Published-09 Jun, 2026 | 23:49
Updated-17 Jul, 2026 | 20:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Spring Data REST Querydsl integration exposes Jackson-hidden persistent fields as filter keys

Spring Data REST's Querydsl integration accepts arbitrary persistent property paths as request-parameter filter keys and does not consider Jackson customizations before handing them to Querydsl. Affected versions: Spring Data REST 3.7.0 through 3.7.19; 4.3.0 through 4.3.16; 4.4.0 through 4.4.14; 4.5.0 through 4.5.11; 5.0.0 through 5.0.5.

Action-Not Available
Vendor-VMware (Broadcom Inc.)
Product-spring_data_restSpring Data REST
CWE ID-CWE-284
Improper Access Control
CVE-2026-41732
Assigner-VMware by Broadcom
ShareView Details
Assigner-VMware by Broadcom
CVSS Score-8.1||HIGH
EPSS-0.35% / 26.98%
||
7 Day CHG~0.00%
Published-09 Jun, 2026 | 23:49
Updated-17 Jul, 2026 | 20:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
In Spring for Apache Pulsar, overly broad trusted-package matching in header mapper exposes JDK classes to deserialization

JsonPulsarHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Additionally, an empty trusted-packages configuration fell back to trusting all packages rather than applying a safe default allow-list. Affected versions: Spring for Apache Pulsar 2.0.0 through 2.0.5; 1.2.0 through 1.2.17; 1.1.0 through 1.1.17.

Action-Not Available
Vendor-VMware (Broadcom Inc.)
Product-spring_for_apache_pulsarSpring for Apache Pulsar
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-41731
Assigner-VMware by Broadcom
ShareView Details
Assigner-VMware by Broadcom
CVSS Score-8.1||HIGH
EPSS-0.51% / 40.08%
||
7 Day CHG+0.02%
Published-09 Jun, 2026 | 23:49
Updated-17 Jul, 2026 | 20:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
In Spring for Apache Kafka, overly broad trusted-package matching in header mappers exposes JDK classes to deserialization

JsonKafkaHeaderMapper and the deprecated DefaultKafkaHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Combined with Jackson's default bean deserialization, a producer could supply crafted header values that caused the consumer to deserialize arbitrary JDK types. Affected versions: Spring for Apache Kafka 4.0.0 through 4.0.5; 3.3.0 through 3.3.15; 3.2.0 through 3.2.13; 2.9.0 through 2.9.13; 2.8.0 through 2.8.11.

Action-Not Available
Vendor-VMware (Broadcom Inc.)Red Hat, Inc.
Product-spring_for_apache_kafkafusejboss_enterprise_application_platform_expansion_packSpring for Apache KafkaRed Hat Fuse 7Red Hat JBoss Enterprise Application Platform Expansion Pack
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-41730
Assigner-VMware by Broadcom
ShareView Details
Assigner-VMware by Broadcom
CVSS Score-5.3||MEDIUM
EPSS-0.20% / 9.68%
||
7 Day CHG~0.00%
Published-09 Jun, 2026 | 23:49
Updated-17 Jul, 2026 | 20:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Spring Data REST exposes persistence-layer internals in error responses

Spring Data REST serializes the full exception cause chain into HTTP error response bodies, potentially exposing persistence-layer internals to HTTP clients. Affected versions: Spring Data REST 3.7.0 through 3.7.19; 4.3.0 through 4.3.16; 4.4.0 through 4.4.14; 4.5.0 through 4.5.11; 5.0.0 through 5.0.5.

Action-Not Available
Vendor-VMware (Broadcom Inc.)
Product-spring_data_restSpring Data REST
CWE ID-CWE-209
Generation of Error Message Containing Sensitive Information
CVE-2026-41729
Assigner-VMware by Broadcom
ShareView Details
Assigner-VMware by Broadcom
CVSS Score-8.1||HIGH
EPSS-0.39% / 31.60%
||
7 Day CHG~0.00%
Published-09 Jun, 2026 | 23:49
Updated-17 Jul, 2026 | 20:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Spring Data REST SpEL Injection via Map Key in JSON Patch

Spring Data REST is vulnerable to SpEL expression injection through map-typed properties when processing JSON Patch (application/json-patch+json) requests. When a persistent entity exposes a Map-typed property, the JSON Pointer path segment used as the map key is embedded directly into a SpEL expression without sanitization or validation. Affected versions: Spring Data REST 3.7.0 through 3.7.19; 4.3.0 through 4.3.16; 4.4.0 through 4.4.14; 4.5.0 through 4.5.11; 5.0.0 through 5.0.5.

Action-Not Available
Vendor-VMware (Broadcom Inc.)
Product-spring_data_restSpring Data REST
CWE ID-CWE-917
Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
CVE-2026-41728
Assigner-VMware by Broadcom
ShareView Details
Assigner-VMware by Broadcom
CVSS Score-7.5||HIGH
EPSS-0.31% / 22.56%
||
7 Day CHG~0.00%
Published-09 Jun, 2026 | 23:49
Updated-17 Jul, 2026 | 20:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Spring Data REST JSON Patch bypasses Jackson read-only property protection on nested objects and collections

Spring Data REST's JSON Patch (application/json-patch+json) implementation does not apply the write-access filter to intermediate path segments when resolving a multi-segment JSON Pointer. Affected versions: Spring Data REST 3.7.0 through 3.7.19; 4.3.0 through 4.3.16; 4.4.0 through 4.4.14; 4.5.0 through 4.5.11; 5.0.0 through 5.0.5.

Action-Not Available
Vendor-VMware (Broadcom Inc.)
Product-spring_data_restSpring Data REST
CWE ID-CWE-284
Improper Access Control
CVE-2026-41727
Assigner-VMware by Broadcom
ShareView Details
Assigner-VMware by Broadcom
CVSS Score-6.5||MEDIUM
EPSS-0.24% / 15.05%
||
7 Day CHG~0.00%
Published-09 Jun, 2026 | 23:49
Updated-17 Jul, 2026 | 20:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
In Spring for Apache Kafka, forged retry topic headers subvert retry routing and backoff behavior

Spring Kafka's retry topic infrastructure did not sufficiently validate user-controlled header values before acting on them. A producer could send a record with a crafted retry_topic-attempts header to supply an out-of-range attempt count and cause the retry topic router to misidentify where the message was in the retry sequence. Affected versions: Spring for Apache Kafka 4.0.0 through 4.0.5; 3.3.0 through 3.3.15; 3.2.0 through 3.2.13; 2.9.0 through 2.9.13; 2.8.0 through 2.8.11.

Action-Not Available
Vendor-VMware (Broadcom Inc.)
Product-spring_for_apache_kafkaSpring for Apache Kafka
CWE ID-CWE-20
Improper Input Validation
CVE-2026-41726
Assigner-VMware by Broadcom
ShareView Details
Assigner-VMware by Broadcom
CVSS Score-6.5||MEDIUM
EPSS-0.30% / 21.52%
||
7 Day CHG+0.01%
Published-09 Jun, 2026 | 23:48
Updated-17 Jul, 2026 | 20:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
In Spring for Apache Kafka, unbounded delegate cache keyed on user-controlled, potentially malicious selector header

When an application opts into DelegatingDeserializer, a producer can grow the consumer's heap without bound by sending records with unique random spring.kafka.serialization.selector header values, eventually causing GC thrash and OutOfMemoryError. Affected versions: Spring for Apache Kafka 4.0.0 through 4.0.5; 3.3.0 through 3.3.15; 3.2.0 through 3.2.13; 2.9.0 through 2.9.13; 2.8.0 through 2.8.11.

Action-Not Available
Vendor-VMware (Broadcom Inc.)
Product-spring_for_apache_kafkaSpring for Apache Kafka
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2026-41721
Assigner-VMware by Broadcom
ShareView Details
Assigner-VMware by Broadcom
CVSS Score-5.9||MEDIUM
EPSS-0.33% / 25.25%
||
7 Day CHG~0.00%
Published-09 Jun, 2026 | 23:48
Updated-17 Jul, 2026 | 20:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Spring Data Commons Denial of Service via Data Binding

Spring Data Commons contains a vulnerability that can lead to a Denial of Service (DoS) condition if Spring Data Web Support is enabled in conjunction with a Controller method using @ProjectedPayload, when an attacker sends a specially crafted HTTP request that causes the application to allocate lots of memory. Affected versions: Spring Data Commons 4.0.0 through 4.0.5; 3.5.0 through 3.5.11; 3.4.0 through 3.4.14; 3.3.0 through 3.3.16; 3.2.0 through 3.2.15; 3.1.0 through 3.1.14; 3.0.0 through 3.0.15; 2.7.0 through 2.7.19.

Action-Not Available
Vendor-Broadcom Inc.VMware (Broadcom Inc.)
Product-spring_data_commonsSpring Data Commons
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2026-41719
Assigner-VMware by Broadcom
ShareView Details
Assigner-VMware by Broadcom
CVSS Score-6.4||MEDIUM
EPSS-0.21% / 10.76%
||
7 Day CHG~0.00%
Published-09 Jun, 2026 | 23:48
Updated-17 Jul, 2026 | 20:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Spring Data KeyValue - SpEL Injection vulnerability in SpelPropertyComparator

A SpEL Injection vulnerability exists in the Spring Data KeyValue if unsanitized user input is passed as Sort into a repository query method that delegates evaluation to the SpelPropertyComparator. Affected versions: Spring Data KeyValue / Spring Data Redis 4.0.0 through 4.0.5; 3.5.0 through 3.5.11; 3.4.0 through 3.4.14; 3.3.0 through 3.3.16; 3.2.0 through 3.2.15; 3.1.0 through 3.1.14; 3.0.0 through 3.0.15; 2.7.0 through 2.7.19.

Action-Not Available
Vendor-Broadcom Inc.VMware (Broadcom Inc.)
Product-spring_data_keyvaluespring_data_redisSpring Data KeyValueSpring Data Redis
CWE ID-CWE-917
Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 20
  • 21
  • Next