CVE-2026-40992

Published Jun 11, 2026

Last updated 3 days ago

CVSS medium 5.0

Overview

Description
Spring Boot's Mail auto-configuration does not enable hostname verification. Applications that set the relevant JavaMail property, such as spring.mail.properties.mail.smtp.ssl.checkserveridentity=true, are not affected. Affected versions: Spring Boot 4.0.0 through 4.0.6; 3.5.0 through 3.5.14; 3.4.0 through 3.4.16.
Source
security@vmware.com
NVD status
Awaiting Analysis

Risk scores

CVSS 3.1

Type
Secondary
Base score
5
Impact score
3.4
Exploitability score
1.6
Vector string
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Severity
MEDIUM

Weaknesses

security@vmware.com
CWE-295

Social media

Hype score
Not currently trending

References

Sources include official advisories and independent security research.