5.3
CVE-2026-41852
- EPSS 0.16%
- Veröffentlicht 09.06.2026 03:51:39
- Zuletzt bearbeitet 27.06.2026 21:16:30
- Quelle security@vmware.com
- CVE-Watchlists
- Unerledigt
Spring Framework Arbitrary Method Invocation in SpEL Expressions
A vulnerability in Spring Expression Language (SpEL) evaluation logic allows for arbitrary zero-argument method invocation, even within restricted or read-only contexts, which may allow an attacker to invoke unintended application logic. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
VMware ≫ Spring Framework Version >= 5.3.0 < 5.3.49
VMware ≫ Spring Framework Version >= 6.1.0 < 6.1.28
VMware ≫ Spring Framework Version >= 6.2.0 < 6.2.19
VMware ≫ Spring Framework Version >= 7.0.0 < 7.0.8
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.16% | 0.059 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 5.3 | 3.9 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
|
| security@vmware.com | 3.7 | 2.2 | 1.4 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
|
CWE-863 Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
https://spring.io/security/cve-2026-41852