CVE-2026-41719

MEDIUM EPSS 10.2%

Published Jun 10, 20262w ago · Modified Jun 17, 20261w ago

6.4 CVSS 3.1

Medium

Published Jun 10, 2026 2w ago

Last Modified Jun 17, 2026 1w ago

Description

A SpEL Injection vulnerability exists in the Spring Data KeyValue if unsanitized user input is passed as Sort into a repository query method that delegates evaluation to the SpelPropertyComparator. Affected versions: Spring Data KeyValue / Spring Data Redis 4.0.0 through 4.0.5; 3.5.0 through 3.5.11; 3.4.0 through 3.4.14; 3.3.0 through 3.3.16; 3.2.0 through 3.2.15; 3.1.0 through 3.1.14; 3.0.0 through 3.0.15; 2.7.0 through 2.7.19.

CVSS Details

Base Score

6.4

Exploitability

1.6

Impact

4.7

Vector string

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L

Attack Vector Network

Attack Complexity High

Privileges Required Low

User Interaction None

Scope Unchanged

Confidentiality High

Integrity Low

Availability Low

Threat Intelligence

EPSS Exploit Probability

10.2% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 1

CWE-917

References 1

spring.io https://spring.io/security/cve-2026-41719

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.