CVE-2026-41852

Published Jun 9, 2026

Last updated 14 days ago

CVSS low 3.7

Overview

Description: A vulnerability in Spring Expression Language (SpEL) evaluation logic allows for arbitrary zero-argument method invocation, even within restricted or read-only contexts, which may allow an attacker to invoke unintended application logic. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
Source: security@vmware.com
NVD status: Analyzed
Products: spring_framework

Risk scores

CVSS 3.1

Type: Primary
Base score: 5.3
Impact score: 1.4
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Severity: MEDIUM

Weaknesses

security@vmware.com: CWE-863

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*",
            "matchCriteriaId": "9394F974-169E-4FB0-A85B-0114477DE421",
            "versionEndExcluding": "5.3.49",
            "versionStartIncluding": "5.3.0",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*",
            "matchCriteriaId": "CE392CE7-5DA3-4DBE-B22C-27781E204B7E",
            "versionEndExcluding": "6.1.28",
            "versionStartIncluding": "6.1.0",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*",
            "matchCriteriaId": "4C369542-3C65-45B4-B70A-A406BA063629",
            "versionEndExcluding": "6.2.19",
            "versionStartIncluding": "6.2.0",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*",
            "matchCriteriaId": "F8552E92-04FB-4262-81B0-ABE727526373",
            "versionEndExcluding": "7.0.8",
            "versionStartIncluding": "7.0.0",
            "vulnerable": true
          }
        ],
        "negate": false,
        "operator": "OR"
      }
    ]
  }
]

References

Sources include official advisories and independent security research.

Overview

Risk scores

CVSS 3.1

Weaknesses

Social media

Configurations

Related CVEs

References