|
3541
|
6.4 |
MEDIUM
Network
|
-
|
-
|
Applications that configure the WebFlowELExpressionParser are vulnerable to the use of malicious Unified EL expressions.
Affected versions:
Spring Web Flow 4.0.0; 3.0.0 through 3.0.1; 2.5.0 through …
|
CWE-917
Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
|
CVE-2026-40985
|
2026-06-12 00:21 |
2026-06-11 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3542
|
4.8 |
MEDIUM
Network
|
-
|
-
|
Spring Web Flow's JavaScript RemotingHandler renders the body of an error response as HTML even when the response is not "text/html", which can result in a scripting attack in the user's browser if t…
|
CWE-79
Cross-site Scripting
|
CVE-2026-40986
|
2026-06-12 00:21 |
2026-06-11 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3543
|
7.1 |
HIGH
Network
|
-
|
-
|
A malicious or compromised FTP/SFTP/SMB server can write arbitrary files anywhere on the client filesystem (outside the configured local-directory) with attacker-controlled content.
Affected version…
|
CWE-22
Path Traversal
|
CVE-2026-40987
|
2026-06-12 00:21 |
2026-06-11 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3544
|
5.0 |
MEDIUM
Adjacent
|
-
|
-
|
Spring Boot's Mail auto-configuration does not enable hostname verification. Applications that set the relevant JavaMail property, such as spring.mail.properties.mail.smtp.ssl.checkserveridentity=tru…
|
CWE-295
Improper Certificate Validation
|
CVE-2026-40992
|
2026-06-12 00:21 |
2026-06-11 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3545
|
8.2 |
HIGH
Network
|
-
|
-
|
Wss4jSecurityInterceptor initialized its BSP (WS-I Basic Security Profile) compliance flag so that inbound validation disabled WSS4J BSP enforcement on RequestData. Services that validate WS-Security…
|
CWE-1188
Insecure Default Initialization of Resource
|
CVE-2026-40994
|
2026-06-12 00:21 |
2026-06-11 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3546
|
5.4 |
MEDIUM
Network
|
-
|
-
|
X509AuthenticationProvider could issue a fully authenticated X509AuthenticationToken when a presented certificate mapped to UserDetails, without applying Spring Security's standard account lifecycle …
|
CWE-287
Improper Authentication
|
CVE-2026-40995
|
2026-06-12 00:21 |
2026-06-11 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3547
|
4.8 |
MEDIUM
Network
|
-
|
-
|
Wss4jSecurityInterceptor defaulted allowRSA15KeyTransportAlgorithm to true, overriding Apache WSS4J's safer default for validation RequestData. Inbound WS-Security decryption could therefore accept R…
|
CWE-327
Use of a Broken or Risky Cryptographic Algorithm
|
CVE-2026-40996
|
2026-06-12 00:21 |
2026-06-11 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3548
|
5.3 |
MEDIUM
Network
|
-
|
-
|
Several Spring WS integration paths with Spring Security could surface detailed account state (for example locked or disabled user semantics) to remote SOAP clients through exception messages or call…
|
CWE-209
Information Exposure Through an Error Message
|
CVE-2026-40997
|
2026-06-12 00:21 |
2026-06-11 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3549
|
8.2 |
HIGH
Network
|
-
|
-
|
Jaxp13XPathTemplate evaluated XPath expressions for StreamSource and SAXSource inputs using a code path that parsed attacker-controlled XML with the JDK's default DocumentBuilderFactory behavior inst…
|
CWE-611
XXE
|
CVE-2026-40998
|
2026-06-12 00:21 |
2026-06-11 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3550
|
8.6 |
HIGH
Network
|
-
|
-
|
When WS-Addressing is used with non-anonymous ReplyTo or FaultTo addresses, Spring WS may initiate outbound connections through configured WebServiceMessageSender instances to destinations taken dire…
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-40999
|
2026-06-12 00:21 |
2026-06-11 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
