CVE-2026-41716

HIGH EPSS 28.2%

Published Jun 10, 20262w ago · Modified Jun 17, 20261w ago

7.5 CVSS 3.1

High

Published Jun 10, 2026 2w ago

Last Modified Jun 17, 2026 1w ago

Description

Spring Data's internal property-lookup cache accepts and permanently retains attacker-supplied strings as cache keys, allowing heap exhaustion through repeated requests. Affected versions: Spring Data Commons 2.7.0 through 2.7.19; 3.3.0 through 3.3.16; 3.4.0 through 3.4.14; 3.5.0 through 3.5.11; 4.0.0 through 4.0.5.

CVSS Details

Base Score

7.5

Exploitability

3.9

Impact

3.6

Vector string

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector Network

Attack Complexity Low

Privileges Required None

User Interaction None

Scope Unchanged

Confidentiality None

Integrity None

Availability High

Threat Intelligence

EPSS Exploit Probability

28.2% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 1

CWE-770

Affected Products 5

Vendor	Product	Version	Range
broadcom	spring_data_commons	*	≥2.7.0 – <2.7.20
broadcom	spring_data_commons	*	≥3.3.0 – <3.3.17
broadcom	spring_data_commons	*	≥3.4.0 – <3.4.15
broadcom	spring_data_commons	*	≥3.5.0 – <3.5.12
broadcom	spring_data_commons	*	≥4.0.0 – <4.0.6

References 1

spring.io https://spring.io/security/cve-2026-41716

Vendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.