CVE-2026-41007
- EPSS 0.3%
- Veröffentlicht 09.06.2026 04:00:47
- Zuletzt bearbeitet 27.06.2026 22:16:46
Spring HATEOAS maintains an unbounded static cache of StringLinkRelation instances keyed on attacker-supplied strings. Affected versions: Spring HATEOAS 1.5.0 through 1.5.6; 2.3.0 through 2.3.4; 2.4.0 through 2.4.1; 2.5.0 through 2.5.2; 3.0.0 throug...
CVE-2026-41006
- EPSS 0.28%
- Veröffentlicht 09.06.2026 03:57:39
- Zuletzt bearbeitet 27.06.2026 22:16:46
Spring HATEOAS's internal PropertyUtils.createObjectFromProperties method, used by the Collection+JSON and UBER media type deserializers, performs bean property binding via reflection without consulting Jackson access-control annotations. Affected v...
CVE-2023-34036
- EPSS 0.4%
- Veröffentlicht 17.07.2023 11:15:09
- Zuletzt bearbeitet 21.11.2024 08:06:26
Reactive web applications that use Spring HATEOAS to produce hypermedia-based responses might be exposed to malicious forwarded headers if they are not behind a trusted proxy that ensures correctness of such headers, or if they don't have anything e...