惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

C
CXSECURITY Database RSS Feed - CXSecurity.com
K
Kaspersky official blog
A
Arctic Wolf
Attack and Defense Labs
Attack and Defense Labs
L
LINUX DO - 热门话题
N
News | PayPal Newsroom
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
L
Lohrmann on Cybersecurity
PCI Perspectives
PCI Perspectives
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
The Last Watchdog
The Last Watchdog
B
Blog RSS Feed
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
W
WeLiveSecurity
Know Your Adversary
Know Your Adversary
博客园 - Franky
T
Tenable Blog
T
Tailwind CSS Blog
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
Help Net Security
Help Net Security
WordPress大学
WordPress大学
T
The Exploit Database - CXSecurity.com
www.infosecurity-magazine.com
www.infosecurity-magazine.com
博客园 - 司徒正美
阮一峰的网络日志
阮一峰的网络日志
D
Darknet – Hacking Tools, Hacker News & Cyber Security
H
Heimdal Security Blog
TaoSecurity Blog
TaoSecurity Blog
S
Security Affairs
J
Java Code Geeks
小众软件
小众软件
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Apple Machine Learning Research
Apple Machine Learning Research
NISL@THU
NISL@THU
O
OpenAI News
The Cloudflare Blog
月光博客
月光博客
Google Online Security Blog
Google Online Security Blog
V
V2EX
罗磊的独立博客
美团技术团队
博客园 - 三生石上(FineUI控件)
Security Latest
Security Latest
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
C
Cyber Attacks, Cyber Crime and Cyber Security
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Cyberwarzone
Cyberwarzone
L
LINUX DO - 最新话题
Hacker News - Newest:
Hacker News - Newest: "LLM"
大猫的无限游戏
大猫的无限游戏

Spring Security Advisories

CVE-2026-47835: Spring AI vector store metadata filtering to handle special characters in Elasticsearch, OpenSearch, and GemFire Vector Stores CVE-2026-41862: Kryo deserialization of persisted context without class allowlist CVE-2026-41708: Spring Cloud Sleuth instrumentation of Spring TX DoS vulnerability CVE-2026-47825: Spring Cloud Gateway Server Forwards Headers from Untrusted Proxies in certain situations CVE-2026-40985: Data Binding Vulnerability in Spring Web Flow with Unified EL Parser CVE-2026-40986: Spring Web Flow JS RemotingHandler renders non-HTML Response as HTML CVE-2026-40987: Remote-file synchronizer in Spring Integration writes server-supplied filename under localDirectory without canonicalization CVE-2026-40994: Wss4jSecurityInterceptor disables WS-I BSP validation by default CVE-2026-40995: X.509 authentication bypasses Spring Security account checks CVE-2026-40997: SOAP security faults leak Spring Security account state CVE-2026-40998: Jaxp13 XPath XXE via StreamSource and SAXSource CVE-2026-40999: Spring WS SSRF via unvalidated WS-Addressing reply destinations CVE-2026-41000: WSS4J validation does not use configured replay cache CVE-2026-40996: Inbound WS-Security allows RSA PKCS#1 v1.5 key transport by default CVE-2026-40992: Mail Auto-Configuration Does Not Enable SSL Hostname Verification CVE-2026-41001: Predictable Temp Directory in Artemis Auto-configuration CVE-2026-41699: Unsafe Deserialization in Spring GraphQL CVE-2026-41700: Cross-Site WebSocket Hijacking in Spring for GraphQL CVE-2026-41856: Spring GraphQL Annotation Detection Vulnerability CVE-2026-41695: Denial of Service in Spring Data Commons Property Path Resolution CVE-2026-41696: Spring Data MongoDB Bind Parameter Literal Quoting Breakout CVE-2026-41697: Spring Data Relational Parameter not Escaped for Query By Example LIKE Pattern CVE-2026-41711: Potential Denial of Service through crafted Sort Parameters CVE-2026-41716: Spring Data web support unbounded negative-result cache keyed on attacker-supplied property names CVE-2026-41717: Spring Data MongoDB - SpEL Expression Injection via Annotated Query Parameter Binding CVE-2026-41719: Spring Data KeyValue - SpEL Injection vulnerability in SpelPropertyComparator CVE-2026-40991: XML External Entity (XXE) injection when documenting untrusted XML content CVE-2026-41721: Spring Data Commons Denial of Service via Data Binding CVE-2026-41728: Spring Data REST JSON Patch bypasses Jackson read-only property protection on nested objects and collections CVE-2026-40993: Unfiltered Java Native Deserialization of SAML 2.0 Asserting Party Credentials BLOB Database Entry CVE-2026-40988: Unbounded DEFLATE Inflation in SAML 2.0 Service Provider CVE-2026-41003: Unencoded HTML Outputs in Spring Security May Allow Cross-Site Scripting CVE-2026-41008: Spring Security Authorization Server Open Redirect via request_uri CVE-2026-41694: SAML Payloads Decrypted Without Valid Signature CVE-2026-41706: Open Redirect When Using CookieRequestCache CVE-2026-41714: In Spring AMQP the `RabbitConnectionFactoryBean.setUri("amqps://...")` bypasses secure SSL setup, uses `TrustEverythingTrustManager` CVE-2026-41701: In Spring AMQP sequential correlation IDs enable reply poisoning on fixed reply queues CVE-2026-41726: In Spring for Apache Kafka, unbounded delegate cache keyed on user-controlled, potentially malicious selector header CVE-2026-41729: Spring Data REST SpEL Injection via Map Key in JSON Patch CVE-2026-41730: Spring Data REST exposes persistence-layer internals in error responses CVE-2026-41727: In Spring for Apache Kafka, forged retry topic headers subvert retry routing and backoff behavior CVE-2026-41731: In Spring for Apache Kafka, overly broad trusted-package matching in header mappers exposes JDK classes to deserialization CVE-2026-41732: In Spring for Apache Pulsar, overly broad trusted-package matching in header mapper exposes JDK classes to deserialization CVE-2026-41837: Spring Data REST Querydsl integration exposes Jackson-hidden persistent fields as filter keys CVE-2026-47838: Unauthorized User Impersonation when Using X.509 Client Certificates CVE-2026-40983: Micrometer gRPC server instrumentation DoS vulnerability CVE-2026-41715: Reactor Netty HTTP Client Leaks Credentials On Protocol Downgrade Redirect CVE-2026-40984: Micrometer HTTP server instrumentations DoS vulnerability CVE-2026-41007: Spring HATEOAS heap exhaustion through unbounded internal caching CVE-2026-41006: Spring HATEOAS Collection+JSON/UBER deserializers do not honor Jackson configuration CVE-2026-41720: Authentication Bypass with Empty Password in Spring LDAP CVE-2026-41838: Spring Framework Predictable Session ID in WebSocket Module CVE-2026-41839: Spring Framework Escalation via Session Fixation in WebFlux CVE-2026-41710: Cache Exhaustion in Stateful Retries leads to Denial of Service CVE-2026-41840: Spring Framework Denial of Service via Multipart Requests in WebFlux CVE-2026-41863: LLM-influenced filename used unsanitized in Path.resolve before file write in Spring AI support for Anthropic Skills API CVE-2026-40989: Self Routing guard bypassed via function composition CVE-2026-40990: Unbounded cache for function definitions CVE-2026-41705: Expression injection in MilvusVectorStore doDelete allows data destruction CVE-2026-41712: ChatMemory DEFAULT_CONVERSATION_ID causes unintended cross-user data leakage CVE-2026-41713: Prompt Injection via Memory Poisoning in PromptChatMemoryAdvisor CVE-2026-41002: Spring Cloud Config Server Susceptible To TOCTOU Attack CVE-2026-40982: Directory Traversal with spring-cloud-config-server CVE-2026-40981: Spring Cloud Config Clients Can Access Secrets From Any Project The Config Server Has Access To On Google Secrets Manager CVE-2026-41004: Spring Cloud Config Server Logged Sensitive Information CVE-2026-40968 - Medium - CVE-2026-40968: Spring gRPC SecurityContext leaks across requests on authorization failure CVE-2026-40969 - Low - CVE-2026-40969: Spring gRPC AuthenticationException message reflected to remote client CVE-2026-40966 - Moderate - CVE-2026-40966: VectorStoreChatMemoryAdvisor conversation scoping can lead to cross-tenant memory exfiltration CVE-2026-40978 - High - CVE-2026-40978: SQL Injection in CosmosDBVectorStore.doDelete() CVE-2026-40979 - Moderate - CVE-2026-40979: ONNX model cache defaults to world-writable predictable /tmp directory CVE-2026-40980 - Moderate - CVE-2026-40980: OOM by attacker-controlled PDF CVE-2026-40970 - Medium - CVE-2026-40970: Elasticsearch auto-configuration with an SSL bundle disables TLS hostname verification CVE-2026-40971 - Medium - CVE-2026-40971: RabbitMQ auto-configuration with an SSL bundle disables TLS hostname verification CVE-2026-40972 - High - CVE-2026-40972: DevTools remote secret comparison is vulnerable to timing attacks CVE-2026-40973 - High - CVE-2026-40973: Predictable temp directory accepted without ownership verification CVE-2026-40974 - Medium - CVE-2026-40974: Cassandra SSL auto-configuration disables TLS hostname verification CVE-2026-40975 - Medium - CVE-2026-40975: Random value property source uses a weak PRNG unsuitable for secrets CVE-2026-40977 - Medium - CVE-2026-40977: PID file write follows symlinks at predictable default path CVE-2026-40976 - Critical - CVE-2026-40976: Default security filter chain has no authorization rule with Actuator but without Health CVE-2026-22751: Spring Security JdbcOneTimeTokenService allows a one-time token to authenticate multiple sessions CVE-2026-22752: Spring Security Authorization Server Dynamic Client Registration endpoints perform insufficient validation of client metadata CVE-2026-22746: User Attribute Enumeration when Using DaoAuthenticationProvider CVE-2026-22753: Servlet Path Not Correctly Included in Path Matching of HttpSecurity#securityMatchers CVE-2026-22754: Servlet Path Not Correctly Included in Path Matching of XML Authorization Rules CVE-2026-22747: Unauthorized User Impersonation when Using X.509 Client Certificates CVE-2026-22748: Potential Security Misconfiguration when Using withIssuerLocation CVE-2026-22740: Spring Framework DoS with Multipart Temp Files in WebFlux CVE-2026-22741: Static resource cache poisoning in Spring MVC and WebFlux CVE-2026-22745 : Denial of service in static resource handling on Windows platforms CVE-2026-22750: SSL bundle configuration silently bypassed in Spring Cloud Gateway CVE-2026-22738: SpEL Injection via Unescaped Filter Key in SimpleVectorStore Leads to Remote Code Execution CVE-2026-22744: RediSearch Query via Unescaped TAG Filter Values in RedisVectorStore CVE-2026-22743: Server-Side Request Forgery via Filter Expression Keys in Neo4jVectorStore CVE-2026-22742: Server-Side Request Forgery in BedrockProxyChatModel via Unvalidated Media URL Fetching CVE-2026-22739: Spring Cloud Config Profile Substitution Can Allow Unintended Access To Files And Enable SSRF Attacks CVE-2026-22731: Authentication Bypass under Actuator Health groups paths cve-2026-22732: Under Some Conditions Spring Security HTTP Headers Are not Written CVE-2026-22737: Spring Framework Improper Path Limitation with Script View Templates CVE-2026-22733: Authentication Bypass under Actuator CloudFoundry endpoints CVE-2026-22735: Server Sent Event stream corruption
CVE-2026-40967 - High - CVE-2026-40967: VectorStore FilterExpression Converter injection
Spring · 2026-04-27 · via Spring Security Advisories
Description In Spring AI, various FilterExpressionConverter implementations accept a filter expression object and translate them to specific vector store query languages. In several cases, keys and values are not properly escaped, leading to the ability to alter the query. Only applications that use VectorStore implementations and pass user-supplied input as a filterExpression are affected. Affected Spring Products and Versions Spring AI: 1.0.0 - 1.0.x 1.1.0 - 1.1.x Mitigation Users of affected versions should upgrade to the corresponding fixed version. Affected version(s) Fix version Availability 1.0.x 1.0.6 OSS 1.1.x 1.1.5 OSS No further mitigation steps are necessary. Credit The issue was reported responsibly by Quan Le of Unit 515 from OPSWAT @aleister1102 Cantina's AppSec agent, Apex ( https://www.cantina.security/ ) @Evil-Squirt1e Bofei Chen @qxyuan853 Andrew Orr at Tenable @blindhacker99 - https://x.com/ph0smet ChenPeng [Ant Group] SharlongWen @wo1enca1ca1 Meriem BELHORA @MeryBelh @rockmelodies Hyunwoo Kim ( @V4bel ) Yu Bao August829 - yubao@paypal.com - who works for paypal.com References https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?version=3.1&vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L