Vulnerable Library - spring-boot-devtools-4.0.4.jar
Spring Boot Developer Tools
Library home page: https://spring.io/projects/spring-boot
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework.boot/spring-boot-devtools/4.0.4/d2df01f25c5f0d4f816e8ea5da41248cbe10142a/spring-boot-devtools-4.0.4.jar
Found in HEAD commit: 9200939ed00ea9c0f2341f87024dc603fe2b491c
Vulnerabilities
| Vulnerability |
Severity |
 CVSS |
Dependency |
Type |
Fixed in (spring-boot-devtools version) |
Remediation Possible** |
| CVE-2026-40976 |
 Critical |
9.1 |
spring-boot-4.0.4.jar |
Transitive |
N/A* |
❌ |
| CVE-2026-41850 |
 High |
7.5 |
spring-expression-7.0.6.jar |
Transitive |
N/A* |
❌ |
| CVE-2026-40972 |
High |
7.5 |
spring-boot-devtools-4.0.4.jar |
Direct |
4.0.6 |
❌ |
| CVE-2026-40973 |
High |
7.0 |
spring-boot-4.0.4.jar |
Transitive |
4.0.6 |
❌ |
| CVE-2026-41851 |
 Medium |
5.3 |
spring-expression-7.0.6.jar |
Transitive |
N/A* |
❌ |
| CVE-2026-40974 |
Medium |
5.0 |
spring-boot-autoconfigure-4.0.4.jar |
Transitive |
4.0.6 |
❌ |
| CVE-2026-40971 |
Medium |
5.0 |
spring-boot-autoconfigure-4.0.4.jar |
Transitive |
4.0.6 |
❌ |
| CVE-2026-40975 |
Medium |
4.8 |
spring-boot-4.0.4.jar |
Transitive |
4.0.6 |
❌ |
| CVE-2026-40977 |
Medium |
4.7 |
spring-boot-4.0.4.jar |
Transitive |
4.0.6 |
❌ |
| CVE-2026-41852 |
 Low |
3.7 |
spring-expression-7.0.6.jar |
Transitive |
N/A* |
❌ |
| CVE-2026-41848 |
Low |
3.7 |
spring-core-7.0.6.jar |
Transitive |
N/A* |
❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2026-40976
Vulnerable Library - spring-boot-4.0.4.jar
Spring Boot
Library home page: https://spring.io/projects/spring-boot
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework.boot/spring-boot/4.0.4/93d6e7c5b747d640bbad17971c5ce957bee88c5f/spring-boot-4.0.4.jar
Dependency Hierarchy:
- spring-boot-devtools-4.0.4.jar (Root Library)
- ❌ spring-boot-4.0.4.jar (Vulnerable Library)
Found in HEAD commit: 9200939ed00ea9c0f2341f87024dc603fe2b491c
Found in base branch: master
Vulnerability Details
In certain circumstances, Spring Boot's default web security is ineffective allowing unauthorized access to all endpoints. For an application to be vulnerable, it must: be a servlet-based web application; have no Spring Security configuration of its own and rely on the default web security filter chain; depend on spring-boot-actuator-autoconfigure; not depend on spring-boot-health. If any of the above does not apply, the application is not vulnerable.
Affected: Spring Boot 4.0.0–4.0.5; upgrade to 4.0.6 or later per vendor advisory.
Publish Date: 2026-04-27
URL: CVE-2026-40976
CVSS 3 Score Details (9.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-04-27
Fix Resolution: org.springframework.boot:spring-boot-security:4.0.6,https://github.com/spring-projects/spring-boot.git - v4.0.6
Step up your Open Source Security Game with Mend here
CVE-2026-41850
Vulnerable Library - spring-expression-7.0.6.jar
Spring Expression Language (SpEL)
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework/spring-expression/7.0.6/c00c73c545c81e2eae224a46a7c509fca74a2860/spring-expression-7.0.6.jar
Dependency Hierarchy:
- spring-boot-devtools-4.0.4.jar (Root Library)
- spring-boot-4.0.4.jar
- spring-context-7.0.6.jar
- ❌ spring-expression-7.0.6.jar (Vulnerable Library)
Found in HEAD commit: 9200939ed00ea9c0f2341f87024dc603fe2b491c
Found in base branch: master
Vulnerability Details
Applications that evaluate user-supplied Spring Expression Language (SpEL) expressions are vulnerable to an Algorithmic Denial of Service (DoS). By providing a specially crafted expression, an attacker can trigger excessive resource consumption during evaluation, leading to application degradation or unavailability.
Affected versions:
Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
Publish Date: 2026-06-09
URL: CVE-2026-41850
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2026-41850
Release Date: 2026-06-09
Fix Resolution: org.springframework:spring-expression:6.2.19,https://github.com/spring-projects/spring-framework.git - v7.0.8,https://github.com/spring-projects/spring-framework.git - v6.2.19,org.springframework:spring-expression:7.0.8
Step up your Open Source Security Game with Mend here
CVE-2026-40972
Vulnerable Library - spring-boot-devtools-4.0.4.jar
Spring Boot Developer Tools
Library home page: https://spring.io/projects/spring-boot
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework.boot/spring-boot-devtools/4.0.4/d2df01f25c5f0d4f816e8ea5da41248cbe10142a/spring-boot-devtools-4.0.4.jar
Dependency Hierarchy:
- ❌ spring-boot-devtools-4.0.4.jar (Vulnerable Library)
Found in HEAD commit: 9200939ed00ea9c0f2341f87024dc603fe2b491c
Found in base branch: master
Vulnerability Details
An attacker on the same network as the remote application may be able to utilize a timing attack to discover information about the remote secret. In extreme circumstances this could result in the attacker determining the secret and uploading changed classes, thereby achieving remote code execution in the remote application.
Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); DevTools remote secret comparison. Versions that are no longer supported are also affected per vendor advisory.
Publish Date: 2026-04-27
URL: CVE-2026-40972
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Adjacent
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-04-27
Fix Resolution: 4.0.6
Step up your Open Source Security Game with Mend here
CVE-2026-40973
Vulnerable Library - spring-boot-4.0.4.jar
Spring Boot
Library home page: https://spring.io/projects/spring-boot
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework.boot/spring-boot/4.0.4/93d6e7c5b747d640bbad17971c5ce957bee88c5f/spring-boot-4.0.4.jar
Dependency Hierarchy:
- spring-boot-devtools-4.0.4.jar (Root Library)
- ❌ spring-boot-4.0.4.jar (Vulnerable Library)
Found in HEAD commit: 9200939ed00ea9c0f2341f87024dc603fe2b491c
Found in base branch: master
Vulnerability Details
A local attacker on the same host as the application may be able to take control of the directory used by "ApplicationTemp". When "server.servlet.session.persistent" is set to "true" and the attack persists across application restarts, this may allow the attacker to read session information and hijack authenticated users or deploy a gadget chain and execute code as the application's user.
Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); predictable temp directory / "ApplicationTemp" ownership verification. Versions that are no longer supported are also affected per vendor advisory.
Publish Date: 2026-04-27
URL: CVE-2026-40973
CVSS 3 Score Details (7.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-04-27
Fix Resolution (org.springframework.boot:spring-boot): 4.0.6
Direct dependency fix Resolution (org.springframework.boot:spring-boot-devtools): 4.0.6
Step up your Open Source Security Game with Mend here
CVE-2026-41851
Vulnerable Library - spring-expression-7.0.6.jar
Spring Expression Language (SpEL)
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework/spring-expression/7.0.6/c00c73c545c81e2eae224a46a7c509fca74a2860/spring-expression-7.0.6.jar
Dependency Hierarchy:
- spring-boot-devtools-4.0.4.jar (Root Library)
- spring-boot-4.0.4.jar
- spring-context-7.0.6.jar
- ❌ spring-expression-7.0.6.jar (Vulnerable Library)
Found in HEAD commit: 9200939ed00ea9c0f2341f87024dc603fe2b491c
Found in base branch: master
Vulnerability Details
Applications which accept user-supplied Spring Expression Language (SpEL) expressions may be vulnerable to a Denial of Service (DoS) attack if the evaluation of a SpEL expression triggers unbounded cache growth.
Affected versions:
Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
Publish Date: 2026-06-09
URL: CVE-2026-41851
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2026-41851
Release Date: 2026-06-09
Fix Resolution: org.springframework:spring-expression:6.2.19,https://github.com/spring-projects/spring-framework.git - v6.2.19,https://github.com/spring-projects/spring-framework.git - v7.0.8,org.springframework:spring-expression:7.0.8
Step up your Open Source Security Game with Mend here
CVE-2026-40974
Vulnerable Library - spring-boot-autoconfigure-4.0.4.jar
Spring Boot AutoConfigure
Library home page: https://spring.io/projects/spring-boot
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework.boot/spring-boot-autoconfigure/4.0.4/e7d484851da96008f341cab0336ff7b923ba25ae/spring-boot-autoconfigure-4.0.4.jar
Dependency Hierarchy:
- spring-boot-devtools-4.0.4.jar (Root Library)
- ❌ spring-boot-autoconfigure-4.0.4.jar (Vulnerable Library)
Found in HEAD commit: 9200939ed00ea9c0f2341f87024dc603fe2b491c
Found in base branch: master
Vulnerability Details
Spring Boot's Cassandra auto-configuration does not perform hostname verification when establishing an SSL connection to Cassandra.
Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); Cassandra SSL auto-configuration. Versions that are no longer supported are also affected per vendor advisory.
Publish Date: 2026-04-27
URL: CVE-2026-40974
CVSS 3 Score Details (5.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Adjacent
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-04-27
Fix Resolution (org.springframework.boot:spring-boot-autoconfigure): 4.0.6
Direct dependency fix Resolution (org.springframework.boot:spring-boot-devtools): 4.0.6
Step up your Open Source Security Game with Mend here
CVE-2026-40971
Vulnerable Library - spring-boot-autoconfigure-4.0.4.jar
Spring Boot AutoConfigure
Library home page: https://spring.io/projects/spring-boot
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework.boot/spring-boot-autoconfigure/4.0.4/e7d484851da96008f341cab0336ff7b923ba25ae/spring-boot-autoconfigure-4.0.4.jar
Dependency Hierarchy:
- spring-boot-devtools-4.0.4.jar (Root Library)
- ❌ spring-boot-autoconfigure-4.0.4.jar (Vulnerable Library)
Found in HEAD commit: 9200939ed00ea9c0f2341f87024dc603fe2b491c
Found in base branch: master
Vulnerability Details
When configured to use an SSL bundle, Spring Boot's RabbitMQ auto-configuration does not perform hostname verification when connecting to the RabbitMQ broker.
Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14) per vendor advisory.
Publish Date: 2026-04-27
URL: CVE-2026-40971
CVSS 3 Score Details (5.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Adjacent
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2026-40971
Release Date: 2026-04-27
Fix Resolution (org.springframework.boot:spring-boot-autoconfigure): 4.0.6
Direct dependency fix Resolution (org.springframework.boot:spring-boot-devtools): 4.0.6
Step up your Open Source Security Game with Mend here
CVE-2026-40975
Vulnerable Library - spring-boot-4.0.4.jar
Spring Boot
Library home page: https://spring.io/projects/spring-boot
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework.boot/spring-boot/4.0.4/93d6e7c5b747d640bbad17971c5ce957bee88c5f/spring-boot-4.0.4.jar
Dependency Hierarchy:
- spring-boot-devtools-4.0.4.jar (Root Library)
- ❌ spring-boot-4.0.4.jar (Vulnerable Library)
Found in HEAD commit: 9200939ed00ea9c0f2341f87024dc603fe2b491c
Found in base branch: master
Vulnerability Details
Values produced by ${random.value} are not suitable for use as secrets. ${random.uuid} is not affected. ${random.int} and ${random.long} should never be used for secrets as they are numeric values with a predictable range.
Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); random value property source / weak PRNG for secrets. Versions that are no longer supported are also affected per vendor advisory.
Publish Date: 2026-04-27
URL: CVE-2026-40975
CVSS 3 Score Details (4.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-04-27
Fix Resolution (org.springframework.boot:spring-boot): 4.0.6
Direct dependency fix Resolution (org.springframework.boot:spring-boot-devtools): 4.0.6
Step up your Open Source Security Game with Mend here
CVE-2026-40977
Vulnerable Library - spring-boot-4.0.4.jar
Spring Boot
Library home page: https://spring.io/projects/spring-boot
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework.boot/spring-boot/4.0.4/93d6e7c5b747d640bbad17971c5ce957bee88c5f/spring-boot-4.0.4.jar
Dependency Hierarchy:
- spring-boot-devtools-4.0.4.jar (Root Library)
- ❌ spring-boot-4.0.4.jar (Vulnerable Library)
Found in HEAD commit: 9200939ed00ea9c0f2341f87024dc603fe2b491c
Found in base branch: master
Vulnerability Details
When an application is configured to use "ApplicationPidFileWriter", a local attacker with write access to the PID file's location can corrupt one file on the host each time the application is started.
Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); PID file / symlink behavior ("ApplicationPidFileWriter"). Versions that are no longer supported are also affected per vendor advisory.
Publish Date: 2026-04-27
URL: CVE-2026-40977
CVSS 3 Score Details (4.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-04-27
Fix Resolution (org.springframework.boot:spring-boot): 4.0.6
Direct dependency fix Resolution (org.springframework.boot:spring-boot-devtools): 4.0.6
Step up your Open Source Security Game with Mend here
CVE-2026-41852
Vulnerable Library - spring-expression-7.0.6.jar
Spring Expression Language (SpEL)
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework/spring-expression/7.0.6/c00c73c545c81e2eae224a46a7c509fca74a2860/spring-expression-7.0.6.jar
Dependency Hierarchy:
- spring-boot-devtools-4.0.4.jar (Root Library)
- spring-boot-4.0.4.jar
- spring-context-7.0.6.jar
- ❌ spring-expression-7.0.6.jar (Vulnerable Library)
Found in HEAD commit: 9200939ed00ea9c0f2341f87024dc603fe2b491c
Found in base branch: master
Vulnerability Details
A vulnerability in Spring Expression Language (SpEL) evaluation logic allows for arbitrary zero-argument method invocation, even within restricted or read-only contexts, which may allow an attacker to invoke unintended application logic.
Affected versions:
Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
Publish Date: 2026-06-09
URL: CVE-2026-41852
CVSS 3 Score Details (3.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2026-41852
Release Date: 2026-06-09
Fix Resolution: org.springframework:spring-expression:6.2.19,https://github.com/spring-projects/spring-framework.git - v7.0.8,org.springframework:spring-expression:7.0.8,https://github.com/spring-projects/spring-framework.git - v6.2.19
Step up your Open Source Security Game with Mend here
CVE-2026-41848
Vulnerable Library - spring-core-7.0.6.jar
Spring Core
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework/spring-core/7.0.6/5e4e7fd5bee4be66a0786abe0c90419a713114b5/spring-core-7.0.6.jar
Dependency Hierarchy:
- spring-boot-devtools-4.0.4.jar (Root Library)
- spring-boot-4.0.4.jar
- ❌ spring-core-7.0.6.jar (Vulnerable Library)
Found in HEAD commit: 9200939ed00ea9c0f2341f87024dc603fe2b491c
Found in base branch: master
Vulnerability Details
Applications may be vulnerable to a Regular Expression Denial of Service (ReDoS) attack if an attacker is able to provide a pattern which is then directly or indirectly supplied to one of the following methods in AntPathMatcher: match(String pattern, String path), matchStart(String pattern, String path), extractUriTemplateVariables(String pattern, String path).
Affected versions:
Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
Publish Date: 2026-06-09
URL: CVE-2026-41848
CVSS 3 Score Details (3.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2026-41848
Release Date: 2026-06-09
Fix Resolution: org.springframework:spring-core:7.0.8,https://github.com/spring-projects/spring-framework.git - v6.2.19,https://github.com/spring-projects/spring-framework.git - v7.0.8,org.springframework:spring-core:6.2.19
Step up your Open Source Security Game with Mend here
Spring Boot Developer Tools
Library home page: https://spring.io/projects/spring-boot
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework.boot/spring-boot-devtools/4.0.4/d2df01f25c5f0d4f816e8ea5da41248cbe10142a/spring-boot-devtools-4.0.4.jar
Found in HEAD commit: 9200939ed00ea9c0f2341f87024dc603fe2b491c
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - spring-boot-4.0.4.jar
Spring Boot
Library home page: https://spring.io/projects/spring-boot
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework.boot/spring-boot/4.0.4/93d6e7c5b747d640bbad17971c5ce957bee88c5f/spring-boot-4.0.4.jar
Dependency Hierarchy:
Found in HEAD commit: 9200939ed00ea9c0f2341f87024dc603fe2b491c
Found in base branch: master
Vulnerability Details
In certain circumstances, Spring Boot's default web security is ineffective allowing unauthorized access to all endpoints. For an application to be vulnerable, it must: be a servlet-based web application; have no Spring Security configuration of its own and rely on the default web security filter chain; depend on spring-boot-actuator-autoconfigure; not depend on spring-boot-health. If any of the above does not apply, the application is not vulnerable.
Affected: Spring Boot 4.0.0–4.0.5; upgrade to 4.0.6 or later per vendor advisory.
Publish Date: 2026-04-27
URL: CVE-2026-40976
CVSS 3 Score Details (9.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-04-27
Fix Resolution: org.springframework.boot:spring-boot-security:4.0.6,https://github.com/spring-projects/spring-boot.git - v4.0.6
Step up your Open Source Security Game with Mend here
Vulnerable Library - spring-expression-7.0.6.jar
Spring Expression Language (SpEL)
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework/spring-expression/7.0.6/c00c73c545c81e2eae224a46a7c509fca74a2860/spring-expression-7.0.6.jar
Dependency Hierarchy:
Found in HEAD commit: 9200939ed00ea9c0f2341f87024dc603fe2b491c
Found in base branch: master
Vulnerability Details
Applications that evaluate user-supplied Spring Expression Language (SpEL) expressions are vulnerable to an Algorithmic Denial of Service (DoS). By providing a specially crafted expression, an attacker can trigger excessive resource consumption during evaluation, leading to application degradation or unavailability.
Affected versions:
Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
Publish Date: 2026-06-09
URL: CVE-2026-41850
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2026-41850
Release Date: 2026-06-09
Fix Resolution: org.springframework:spring-expression:6.2.19,https://github.com/spring-projects/spring-framework.git - v7.0.8,https://github.com/spring-projects/spring-framework.git - v6.2.19,org.springframework:spring-expression:7.0.8
Step up your Open Source Security Game with Mend here
Vulnerable Library - spring-boot-devtools-4.0.4.jar
Spring Boot Developer Tools
Library home page: https://spring.io/projects/spring-boot
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework.boot/spring-boot-devtools/4.0.4/d2df01f25c5f0d4f816e8ea5da41248cbe10142a/spring-boot-devtools-4.0.4.jar
Dependency Hierarchy:
Found in HEAD commit: 9200939ed00ea9c0f2341f87024dc603fe2b491c
Found in base branch: master
Vulnerability Details
An attacker on the same network as the remote application may be able to utilize a timing attack to discover information about the remote secret. In extreme circumstances this could result in the attacker determining the secret and uploading changed classes, thereby achieving remote code execution in the remote application.
Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); DevTools remote secret comparison. Versions that are no longer supported are also affected per vendor advisory.
Publish Date: 2026-04-27
URL: CVE-2026-40972
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Adjacent
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-04-27
Fix Resolution: 4.0.6
Step up your Open Source Security Game with Mend here
Vulnerable Library - spring-boot-4.0.4.jar
Spring Boot
Library home page: https://spring.io/projects/spring-boot
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework.boot/spring-boot/4.0.4/93d6e7c5b747d640bbad17971c5ce957bee88c5f/spring-boot-4.0.4.jar
Dependency Hierarchy:
Found in HEAD commit: 9200939ed00ea9c0f2341f87024dc603fe2b491c
Found in base branch: master
Vulnerability Details
A local attacker on the same host as the application may be able to take control of the directory used by "ApplicationTemp". When "server.servlet.session.persistent" is set to "true" and the attack persists across application restarts, this may allow the attacker to read session information and hijack authenticated users or deploy a gadget chain and execute code as the application's user.
Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); predictable temp directory / "ApplicationTemp" ownership verification. Versions that are no longer supported are also affected per vendor advisory.
Publish Date: 2026-04-27
URL: CVE-2026-40973
CVSS 3 Score Details (7.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-04-27
Fix Resolution (org.springframework.boot:spring-boot): 4.0.6
Direct dependency fix Resolution (org.springframework.boot:spring-boot-devtools): 4.0.6
Step up your Open Source Security Game with Mend here
Vulnerable Library - spring-expression-7.0.6.jar
Spring Expression Language (SpEL)
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework/spring-expression/7.0.6/c00c73c545c81e2eae224a46a7c509fca74a2860/spring-expression-7.0.6.jar
Dependency Hierarchy:
Found in HEAD commit: 9200939ed00ea9c0f2341f87024dc603fe2b491c
Found in base branch: master
Vulnerability Details
Applications which accept user-supplied Spring Expression Language (SpEL) expressions may be vulnerable to a Denial of Service (DoS) attack if the evaluation of a SpEL expression triggers unbounded cache growth.
Affected versions:
Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
Publish Date: 2026-06-09
URL: CVE-2026-41851
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2026-41851
Release Date: 2026-06-09
Fix Resolution: org.springframework:spring-expression:6.2.19,https://github.com/spring-projects/spring-framework.git - v6.2.19,https://github.com/spring-projects/spring-framework.git - v7.0.8,org.springframework:spring-expression:7.0.8
Step up your Open Source Security Game with Mend here
Vulnerable Library - spring-boot-autoconfigure-4.0.4.jar
Spring Boot AutoConfigure
Library home page: https://spring.io/projects/spring-boot
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework.boot/spring-boot-autoconfigure/4.0.4/e7d484851da96008f341cab0336ff7b923ba25ae/spring-boot-autoconfigure-4.0.4.jar
Dependency Hierarchy:
Found in HEAD commit: 9200939ed00ea9c0f2341f87024dc603fe2b491c
Found in base branch: master
Vulnerability Details
Spring Boot's Cassandra auto-configuration does not perform hostname verification when establishing an SSL connection to Cassandra.
Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); Cassandra SSL auto-configuration. Versions that are no longer supported are also affected per vendor advisory.
Publish Date: 2026-04-27
URL: CVE-2026-40974
CVSS 3 Score Details (5.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Adjacent
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-04-27
Fix Resolution (org.springframework.boot:spring-boot-autoconfigure): 4.0.6
Direct dependency fix Resolution (org.springframework.boot:spring-boot-devtools): 4.0.6
Step up your Open Source Security Game with Mend here
Vulnerable Library - spring-boot-autoconfigure-4.0.4.jar
Spring Boot AutoConfigure
Library home page: https://spring.io/projects/spring-boot
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework.boot/spring-boot-autoconfigure/4.0.4/e7d484851da96008f341cab0336ff7b923ba25ae/spring-boot-autoconfigure-4.0.4.jar
Dependency Hierarchy:
Found in HEAD commit: 9200939ed00ea9c0f2341f87024dc603fe2b491c
Found in base branch: master
Vulnerability Details
When configured to use an SSL bundle, Spring Boot's RabbitMQ auto-configuration does not perform hostname verification when connecting to the RabbitMQ broker.
Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14) per vendor advisory.
Publish Date: 2026-04-27
URL: CVE-2026-40971
CVSS 3 Score Details (5.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Adjacent
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2026-40971
Release Date: 2026-04-27
Fix Resolution (org.springframework.boot:spring-boot-autoconfigure): 4.0.6
Direct dependency fix Resolution (org.springframework.boot:spring-boot-devtools): 4.0.6
Step up your Open Source Security Game with Mend here
Vulnerable Library - spring-boot-4.0.4.jar
Spring Boot
Library home page: https://spring.io/projects/spring-boot
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework.boot/spring-boot/4.0.4/93d6e7c5b747d640bbad17971c5ce957bee88c5f/spring-boot-4.0.4.jar
Dependency Hierarchy:
Found in HEAD commit: 9200939ed00ea9c0f2341f87024dc603fe2b491c
Found in base branch: master
Vulnerability Details
Values produced by ${random.value} are not suitable for use as secrets. ${random.uuid} is not affected. ${random.int} and ${random.long} should never be used for secrets as they are numeric values with a predictable range.
Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); random value property source / weak PRNG for secrets. Versions that are no longer supported are also affected per vendor advisory.
Publish Date: 2026-04-27
URL: CVE-2026-40975
CVSS 3 Score Details (4.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-04-27
Fix Resolution (org.springframework.boot:spring-boot): 4.0.6
Direct dependency fix Resolution (org.springframework.boot:spring-boot-devtools): 4.0.6
Step up your Open Source Security Game with Mend here
Vulnerable Library - spring-boot-4.0.4.jar
Spring Boot
Library home page: https://spring.io/projects/spring-boot
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework.boot/spring-boot/4.0.4/93d6e7c5b747d640bbad17971c5ce957bee88c5f/spring-boot-4.0.4.jar
Dependency Hierarchy:
Found in HEAD commit: 9200939ed00ea9c0f2341f87024dc603fe2b491c
Found in base branch: master
Vulnerability Details
When an application is configured to use "ApplicationPidFileWriter", a local attacker with write access to the PID file's location can corrupt one file on the host each time the application is started.
Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); PID file / symlink behavior ("ApplicationPidFileWriter"). Versions that are no longer supported are also affected per vendor advisory.
Publish Date: 2026-04-27
URL: CVE-2026-40977
CVSS 3 Score Details (4.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-04-27
Fix Resolution (org.springframework.boot:spring-boot): 4.0.6
Direct dependency fix Resolution (org.springframework.boot:spring-boot-devtools): 4.0.6
Step up your Open Source Security Game with Mend here
Vulnerable Library - spring-expression-7.0.6.jar
Spring Expression Language (SpEL)
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework/spring-expression/7.0.6/c00c73c545c81e2eae224a46a7c509fca74a2860/spring-expression-7.0.6.jar
Dependency Hierarchy:
Found in HEAD commit: 9200939ed00ea9c0f2341f87024dc603fe2b491c
Found in base branch: master
Vulnerability Details
A vulnerability in Spring Expression Language (SpEL) evaluation logic allows for arbitrary zero-argument method invocation, even within restricted or read-only contexts, which may allow an attacker to invoke unintended application logic.
Affected versions:
Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
Publish Date: 2026-06-09
URL: CVE-2026-41852
CVSS 3 Score Details (3.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2026-41852
Release Date: 2026-06-09
Fix Resolution: org.springframework:spring-expression:6.2.19,https://github.com/spring-projects/spring-framework.git - v7.0.8,org.springframework:spring-expression:7.0.8,https://github.com/spring-projects/spring-framework.git - v6.2.19
Step up your Open Source Security Game with Mend here
Vulnerable Library - spring-core-7.0.6.jar
Spring Core
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework/spring-core/7.0.6/5e4e7fd5bee4be66a0786abe0c90419a713114b5/spring-core-7.0.6.jar
Dependency Hierarchy:
Found in HEAD commit: 9200939ed00ea9c0f2341f87024dc603fe2b491c
Found in base branch: master
Vulnerability Details
Applications may be vulnerable to a Regular Expression Denial of Service (ReDoS) attack if an attacker is able to provide a pattern which is then directly or indirectly supplied to one of the following methods in AntPathMatcher: match(String pattern, String path), matchStart(String pattern, String path), extractUriTemplateVariables(String pattern, String path).
Affected versions:
Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
Publish Date: 2026-06-09
URL: CVE-2026-41848
CVSS 3 Score Details (3.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2026-41848
Release Date: 2026-06-09
Fix Resolution: org.springframework:spring-core:7.0.8,https://github.com/spring-projects/spring-framework.git - v6.2.19,https://github.com/spring-projects/spring-framework.git - v7.0.8,org.springframework:spring-core:6.2.19
Step up your Open Source Security Game with Mend here