ByteOS Network

Spring Data Geode

Source -

CNA

CNA CVEs -

ADP CVEs -

CISA CVEs -

NVD CVEs -

2Vulnerabilities found

CVE-2026-2818

Assigner-HeroDevs

View Details

Assigner-HeroDevs

CVSS Score-8.2||HIGH

EPSS-0.07% / 20.97%

7 Day CHG~0.00%

Published-20 Feb, 2026 | 16:03

Updated-20 Feb, 2026 | 20:12

Zip Slip Path Traversal in Snapshot Archive Extraction (Windows-Specific)

A zip-slip path traversal vulnerability in Spring Data Geode's import snapshot functionality allows attackers to write files outside the intended extraction directory. This vulnerability appears to be susceptible on Windows OS only.

Vendor-VMware (Broadcom Inc.)

Product-Spring Data Geode Spring Data Gemfire

CWE ID-CWE-23

Relative Path Traversal

CVE-2026-2817

Assigner-HeroDevs

View Details

Assigner-HeroDevs

CVSS Score-4.8||MEDIUM

EPSS-0.01% / 2.51%

7 Day CHG~0.00%

Published-19 Feb, 2026 | 17:18

Updated-20 Feb, 2026 | 20:31

Spring Data Geode Insecure Temporary Directory Usage

Use of insecure directory in Spring Data Geode snapshot import extracts archives into predictable, permissive directories under the system temp location. On shared hosts, a local user with basic privileges can access another user’s extracted snapshot contents, leading to unintended exposure of cache data.

Vendor-VMware (Broadcom Inc.)

Product-Spring Data Geode Spring Data Gemfire

CWE ID-CWE-378

Creation of Temporary File With Insecure Permissions

CWE ID-CWE-379

Creation of Temporary File in Directory with Insecure Permissions

CWE ID-CWE-538

Insertion of Sensitive Information into Externally-Accessible File or Directory