Common Vulnerabilities and Exposures (CVE)

CVE-2026-41700

Jun 30, 2026 21:51:38 UTC

Spring for GraphQL applications that have enabled the WebSocket transport are vulnerable to Cross-Site WebSocket Hijacking. An attacker can trick an authenticated user into visiting a malicious page, allowing the attacker to execute arbitra...

CVE-2026-41699

Jun 30, 2026 21:51:09 UTC

Spring for GraphQL applications are vulnerable to Unsafe Deserialization when processing paginated GraphQL queries. An attacker can craft a malicious GraphQL request that can lead to Remote Code Execution when the application exposes a pagi...

CVE-2026-47838

Jun 30, 2026 21:49:56 UTC

SubjectDnX509PrincipalExtractor does not correctly handle certain malformed X.509 certificate CN values, which can lead to reading the wrong value for the username. In a carefully crafted certificate, this can lead to an attacker impersonat...

CVE-2026-41837

Jun 30, 2026 21:47:41 UTC

Spring Data REST's Querydsl integration accepts arbitrary persistent property paths as request-parameter filter keys and does not consider Jackson customizations before handing them to Querydsl. Affected versions: Spring Data REST 3.7.0 th...

CVE-2026-41730

Jun 30, 2026 21:47:00 UTC

Spring Data REST serializes the full exception cause chain into HTTP error response bodies, potentially exposing persistence-layer internals to HTTP clients. Affected versions: Spring Data REST 3.7.0 through 3.7.19; 4.3.0 through 4.3.16; 4...

CVE-2026-41728

Jun 30, 2026 21:44:46 UTC

Spring Data REST's JSON Patch (application/json-patch+json) implementation does not apply the write-access filter to intermediate path segments when resolving a multi-segment JSON Pointer. Affected versions: Spring Data REST 3.7.0 through ...

CVE-2026-41721

Jun 30, 2026 21:43:34 UTC

Spring Data Commons contains a vulnerability that can lead to a Denial of Service (DoS) condition if Spring Data Web Support is enabled in conjunction with a Controller method using @ProjectedPayload, when an attacker sends a specially craf...

CVE-2026-41719

Jun 30, 2026 21:42:20 UTC

A SpEL Injection vulnerability exists in the Spring Data KeyValue if unsanitized user input is passed as Sort into a repository query method that delegates evaluation to the SpelPropertyComparator. Affected versions: Spring Data KeyValue /...

CVE-2026-41717

Jun 30, 2026 21:40:40 UTC

Spring Data MongoDB contains a SpEL (Spring Expression Language) expression injection vulnerability. The issue occurs during parameter binding when a user-defined repository query method is annotated with @Query and utilizes a capture-all p...

CVE-2026-41716

Jun 30, 2026 21:39:45 UTC

Spring Data's internal property-lookup cache accepts and permanently retains attacker-supplied strings as cache keys, allowing heap exhaustion through repeated requests. Affected versions: Spring Data Commons 2.7.0 through 2.7.19; 3.3.0 th...

CVE-2026-9312

Jun 30, 2026 20:53:28 UTC

A server-side request forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an unauthenticated attacker to send crafted requests to internal services by exploiting insufficient input validation in an upload en...

CVE-2026-9836

Jun 30, 2026 20:09:38 UTC

IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is affected by an information disclosure vulnerability.

CVE-2026-43722

Jun 30, 2026 20:04:52 UTC

The issue was addressed with improved input sanitization. This issue is fixed in iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. An app may be able to leak sensitive kernel state.

CVE-2026-43713

Jun 30, 2026 20:04:23 UTC

A permissions issue was addressed with additional restrictions. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. Visiting a website may leak sensitive data.

CVE-2026-43724

Jun 30, 2026 20:03:10 UTC

The issue was addressed with improved input sanitization. This issue is fixed in iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. An app may be able to cause unexpected system termination or write kernel memory.