Skip to content

spring-boot-starter-thymeleaf-3.2.5.jar: 18 vulnerabilities (highest severity is: 9.0) #14

Open
Open
spring-boot-starter-thymeleaf-3.2.5.jar: 18 vulnerabilities (highest severity is: 9.0)#14
Labels
Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend
@mend-bolt-for-github

Description

@mend-bolt-for-github
mend-bolt-for-github
bot
opened on Oct 20, 2024
Vulnerable Library - spring-boot-starter-thymeleaf-3.2.5.jar

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.14/logback-classic-1.4.14.jar

Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262

Vulnerabilities

Vulnerability Severity CVSS Dependency Type Fixed in (spring-boot-starter-thymeleaf version) Remediation Possible**
CVE-2026-41901 Critical 9.0 detected in multiple dependencies Transitive N/A*
CVE-2026-40478 Critical 9.0 detected in multiple dependencies Transitive 3.5.14
CVE-2026-40477 Critical 9.0 detected in multiple dependencies Transitive 3.5.14
CVE-2026-41850 High 7.5 spring-expression-6.1.6.jar Transitive N/A*
CVE-2025-41249 High 7.5 spring-core-6.1.6.jar Transitive N/A*
CVE-2025-22235 High 7.3 spring-boot-3.2.5.jar Transitive N/A*
CVE-2024-12798 High 7.3 detected in multiple dependencies Transitive 3.3.8
CVE-2025-11226 Medium 6.9 logback-core-1.4.14.jar Transitive 3.4.11
CVE-2025-41242 Medium 5.9 spring-beans-6.1.6.jar Transitive N/A*
CVE-2026-9828 Medium 5.4 logback-core-1.4.14.jar Transitive N/A*
CVE-2026-10532 Medium 5.4 logback-core-1.4.14.jar Transitive N/A*
CVE-2026-41851 Medium 5.3 spring-expression-6.1.6.jar Transitive N/A*
CVE-2026-1225 Medium 5.0 logback-core-1.4.14.jar Transitive N/A*
CVE-2024-12801 Medium 4.6 logback-core-1.4.14.jar Transitive 3.3.8
CVE-2026-41852 Low 3.7 spring-expression-6.1.6.jar Transitive N/A*
CVE-2026-41848 Low 3.7 spring-core-6.1.6.jar Transitive N/A*
CVE-2025-22233 Low 3.1 spring-context-6.1.6.jar Transitive 3.3.12
CVE-2024-38820 Low 3.1 spring-context-6.1.6.jar Transitive 3.2.11

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2026-41901

Vulnerable Libraries - thymeleaf-3.1.2.RELEASE.jar, thymeleaf-spring6-3.1.2.RELEASE.jar

thymeleaf-3.1.2.RELEASE.jar

Library home page: https://www.thymeleaf.org

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/thymeleaf/thymeleaf/3.1.2.RELEASE/thymeleaf-3.1.2.RELEASE.jar

Dependency Hierarchy:

  • spring-boot-starter-thymeleaf-3.2.5.jar (Root Library)
    • thymeleaf-spring6-3.1.2.RELEASE.jar
      • thymeleaf-3.1.2.RELEASE.jar (Vulnerable Library)

thymeleaf-spring6-3.1.2.RELEASE.jar

Library home page: https://www.thymeleaf.org

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/thymeleaf/thymeleaf-spring6/3.1.2.RELEASE/thymeleaf-spring6-3.1.2.RELEASE.jar

Dependency Hierarchy:

  • spring-boot-starter-thymeleaf-3.2.5.jar (Root Library)
    • thymeleaf-spring6-3.1.2.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262

Found in base branch: master

Vulnerability Details

Thymeleaf is a server-side Java template engine for web and standalone environments. Prior to 3.1.5.RELEASE, a security bypass vulnerability exists in the expression execution mechanisms of Thymeleaf. Although the library provides mechanisms to avoid the execution of potentially dangerous expressions in some specific sandboxed (restricted) contexts, it fails to properly neutralize specific constructs that allow this kind of expressions to be executed. If an application developer passes to the template engine unsanitized variables that contain such expressions, and these values are used in sandboxed contexts inside the templates, these expressions can be executed achieving Server-Side Template Injection (SSTI). This vulnerability is fixed in 3.1.5.RELEASE.

Publish Date: 2026-05-12

URL: CVE-2026-41901

CVSS 3 Score Details (9.0)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-c9ph-gxww-7744

Release Date: 2026-05-05

Fix Resolution: org.thymeleaf:thymeleaf-spring6:3.1.5.RELEASE,org.thymeleaf:thymeleaf-spring5:3.1.5.RELEASE,org.thymeleaf:thymeleaf:3.1.5.RELEASE

Step up your Open Source Security Game with Mend here

CVE-2026-40478

Vulnerable Libraries - thymeleaf-spring6-3.1.2.RELEASE.jar, thymeleaf-3.1.2.RELEASE.jar

thymeleaf-spring6-3.1.2.RELEASE.jar

Library home page: https://www.thymeleaf.org

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/thymeleaf/thymeleaf-spring6/3.1.2.RELEASE/thymeleaf-spring6-3.1.2.RELEASE.jar

Dependency Hierarchy:

  • spring-boot-starter-thymeleaf-3.2.5.jar (Root Library)
    • thymeleaf-spring6-3.1.2.RELEASE.jar (Vulnerable Library)

thymeleaf-3.1.2.RELEASE.jar

Library home page: https://www.thymeleaf.org

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/thymeleaf/thymeleaf/3.1.2.RELEASE/thymeleaf-3.1.2.RELEASE.jar

Dependency Hierarchy:

  • spring-boot-starter-thymeleaf-3.2.5.jar (Root Library)
    • thymeleaf-spring6-3.1.2.RELEASE.jar
      • thymeleaf-3.1.2.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262

Found in base branch: master

Vulnerability Details

Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it fails to properly neutralize specific syntax patterns that allow for the execution of unauthorized expressions. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library's protections to achieve Server-Side Template Injection (SSTI). This issue has ben fixed in version 3.1.4.RELEASE.

Publish Date: 2026-04-17

URL: CVE-2026-40478

CVSS 3 Score Details (9.0)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-xjw8-8c5c-9r79

Release Date: 2026-04-17

Fix Resolution (org.thymeleaf:thymeleaf-spring6): 3.1.4.RELEASE

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-thymeleaf): 3.5.14

Fix Resolution (org.thymeleaf:thymeleaf): 3.1.4.RELEASE

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-thymeleaf): 3.5.14

Step up your Open Source Security Game with Mend here

CVE-2026-40477

Vulnerable Libraries - thymeleaf-spring6-3.1.2.RELEASE.jar, thymeleaf-3.1.2.RELEASE.jar

thymeleaf-spring6-3.1.2.RELEASE.jar

Library home page: https://www.thymeleaf.org

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/thymeleaf/thymeleaf-spring6/3.1.2.RELEASE/thymeleaf-spring6-3.1.2.RELEASE.jar

Dependency Hierarchy:

  • spring-boot-starter-thymeleaf-3.2.5.jar (Root Library)
    • thymeleaf-spring6-3.1.2.RELEASE.jar (Vulnerable Library)

thymeleaf-3.1.2.RELEASE.jar

Library home page: https://www.thymeleaf.org

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/thymeleaf/thymeleaf/3.1.2.RELEASE/thymeleaf-3.1.2.RELEASE.jar

Dependency Hierarchy:

  • spring-boot-starter-thymeleaf-3.2.5.jar (Root Library)
    • thymeleaf-spring6-3.1.2.RELEASE.jar
      • thymeleaf-3.1.2.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262

Found in base branch: master

Vulnerability Details

Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it fails to properly restrict the scope of accessible objects, allowing specific potentially sensitive objects to be reached from within a template. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library's protections to achieve Server-Side Template Injection (SSTI). This issue has ben fixed in version 3.1.4.RELEASE.

Publish Date: 2026-04-17

URL: CVE-2026-40477

CVSS 3 Score Details (9.0)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-r4v4-5mwr-2fwr

Release Date: 2026-04-17

Fix Resolution (org.thymeleaf:thymeleaf-spring6): 3.1.4.RELEASE

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-thymeleaf): 3.5.14

Fix Resolution (org.thymeleaf:thymeleaf): 3.1.4.RELEASE

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-thymeleaf): 3.5.14

Step up your Open Source Security Game with Mend here

CVE-2026-41850

Vulnerable Library - spring-expression-6.1.6.jar

Spring Expression Language (SpEL)

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.1.6/spring-expression-6.1.6.jar

Dependency Hierarchy:

  • spring-boot-starter-thymeleaf-3.2.5.jar (Root Library)
    • spring-boot-starter-3.2.5.jar
      • spring-boot-3.2.5.jar
        • spring-context-6.1.6.jar
          • spring-expression-6.1.6.jar (Vulnerable Library)

Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262

Found in base branch: master

Vulnerability Details

Applications that evaluate user-supplied Spring Expression Language (SpEL) expressions are vulnerable to an Algorithmic Denial of Service (DoS). By providing a specially crafted expression, an attacker can trigger excessive resource consumption during evaluation, leading to application degradation or unavailability.
Affected versions:
Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.

Publish Date: 2026-06-09

URL: CVE-2026-41850

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2026-41850

Release Date: 2026-06-09

Fix Resolution: org.springframework:spring-expression:6.2.19,https://github.com/spring-projects/spring-framework.git - v7.0.8,https://github.com/spring-projects/spring-framework.git - v6.2.19,org.springframework:spring-expression:7.0.8

Step up your Open Source Security Game with Mend here

CVE-2025-41249

Vulnerable Library - spring-core-6.1.6.jar

Spring Core

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-core/6.1.6/spring-core-6.1.6.jar

Dependency Hierarchy:

  • spring-boot-starter-thymeleaf-3.2.5.jar (Root Library)
    • spring-boot-starter-3.2.5.jar
      • spring-boot-3.2.5.jar
        • spring-core-6.1.6.jar (Vulnerable Library)

Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262

Found in base branch: master

Vulnerability Details

The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue if such annotations are used for authorization decisions.
Your application may be affected by this if you are using Spring Security's @⁠EnableMethodSecurity feature.
You are not affected by this if you are not using @⁠EnableMethodSecurity or if you do not use security annotations on methods in generic superclasses or generic interfaces.
This CVE is published in conjunction with CVE-2025-41248 https://spring.io/security/cve-2025-41248 .
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2025-09-16

URL: CVE-2025-41249

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2025-41249

Release Date: 2025-09-14

Fix Resolution: https://github.com/spring-projects/spring-framework.git - v6.2.11,org.springframework:spring-core:6.2.11

Step up your Open Source Security Game with Mend here

CVE-2025-22235

Vulnerable Library - spring-boot-3.2.5.jar

Spring Boot

Library home page: https://spring.io/projects/spring-boot

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/boot/spring-boot/3.2.5/spring-boot-3.2.5.jar

Dependency Hierarchy:

  • spring-boot-starter-thymeleaf-3.2.5.jar (Root Library)
    • spring-boot-starter-3.2.5.jar
      • spring-boot-3.2.5.jar (Vulnerable Library)

Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262

Found in base branch: master

Vulnerability Details

EndpointRequest.to() creates a matcher for null/** if the actuator endpoint, for which the EndpointRequest has been created, is disabled or not exposed.
Your application may be affected by this if all the following conditions are met:

  • You use Spring Security
  • EndpointRequest.to() has been used in a Spring Security chain configuration
  • The endpoint which EndpointRequest references is disabled or not exposed via web
  • Your application handles requests to /null and this path needs protection
    You are not affected if any of the following is true:
  • You don't use Spring Security
  • You don't use EndpointRequest.to()
  • The endpoint which EndpointRequest.to() refers to is enabled and is exposed
  • Your application does not handle requests to /null or this path does not need protection

Publish Date: 2025-04-28

URL: CVE-2025-22235

CVSS 3 Score Details (7.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2025-04-24

Fix Resolution: https://github.com/spring-projects/spring-boot.git - v3.4.5,https://github.com/spring-projects/spring-boot.git - v3.3.11,org.springframework.boot:spring-boot-actuator-autoconfigure:3.4.5,org.springframework.boot:spring-boot-actuator-autoconfigure:3.3.11

Step up your Open Source Security Game with Mend here

CVE-2024-12798

Vulnerable Libraries - logback-core-1.4.14.jar, logback-classic-1.4.14.jar

logback-core-1.4.14.jar

logback-core module

Library home page: http://www.qos.ch

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.14/logback-core-1.4.14.jar

Dependency Hierarchy:

  • spring-boot-starter-thymeleaf-3.2.5.jar (Root Library)
    • spring-boot-starter-3.2.5.jar
      • spring-boot-starter-logging-3.2.5.jar
        • logback-classic-1.4.14.jar
          • logback-core-1.4.14.jar (Vulnerable Library)

logback-classic-1.4.14.jar

logback-classic module

Library home page: http://www.qos.ch

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.14/logback-classic-1.4.14.jar

Dependency Hierarchy:

  • spring-boot-starter-thymeleaf-3.2.5.jar (Root Library)
    • spring-boot-starter-3.2.5.jar
      • spring-boot-starter-logging-3.2.5.jar
        • logback-classic-1.4.14.jar (Vulnerable Library)

Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262

Found in base branch: master

Vulnerability Details

ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core
upto including version 0.1 to 1.3.14 and 1.4.0 to 1.5.12 in Java applications allows
attacker to execute arbitrary code by compromising an existing
logback configuration file or by injecting an environment variable
before program execution.
Malicious logback configuration files can allow the attacker to execute
arbitrary code using the JaninoEventEvaluator extension.
A successful attack requires the user to have write access to a
configuration file. Alternatively, the attacker could inject a malicious
environment variable pointing to a malicious configuration file. In both
cases, the attack requires existing privilege.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2024-12-19

URL: CVE-2024-12798

CVSS 3 Score Details (7.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: High
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-pr98-23f8-jwxv

Release Date: 2024-12-19

Fix Resolution (ch.qos.logback:logback-core): 1.5.13

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-thymeleaf): 3.3.8

Fix Resolution (ch.qos.logback:logback-classic): 1.5.13

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-thymeleaf): 3.3.8

Step up your Open Source Security Game with Mend here

CVE-2025-11226

Vulnerable Library - logback-core-1.4.14.jar

logback-core module

Library home page: http://www.qos.ch

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.14/logback-core-1.4.14.jar

Dependency Hierarchy:

  • spring-boot-starter-thymeleaf-3.2.5.jar (Root Library)
    • spring-boot-starter-3.2.5.jar
      • spring-boot-starter-logging-3.2.5.jar
        • logback-classic-1.4.14.jar
          • logback-core-1.4.14.jar (Vulnerable Library)

Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262

Found in base branch: master

Vulnerability Details

ACE vulnerability in conditional configuration file processing by QOS.CH logback-core up to and including version 1.5.18 in Java applications, allows an attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment variable before program execution.
A successful attack requires the presence of Janino library and Spring Framework to be present on the user's class path. In addition, the attacker must  have write access to a
configuration file. Alternatively, the attacker could inject a malicious
environment variable pointing to a malicious configuration file. In both
cases, the attack requires existing privilege.

Publish Date: 2025-10-01

URL: CVE-2025-11226

CVSS 3 Score Details (6.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: High
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-25qh-j22f-pwp8

Release Date: 2025-10-01

Fix Resolution (ch.qos.logback:logback-core): 1.5.19

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-thymeleaf): 3.4.11

Step up your Open Source Security Game with Mend here

CVE-2025-41242

Vulnerable Library - spring-beans-6.1.6.jar

Spring Beans

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-beans/6.1.6/spring-beans-6.1.6.jar

Dependency Hierarchy:

  • spring-boot-starter-thymeleaf-3.2.5.jar (Root Library)
    • spring-boot-starter-3.2.5.jar
      • spring-boot-3.2.5.jar
        • spring-context-6.1.6.jar
          • spring-aop-6.1.6.jar
            • spring-beans-6.1.6.jar (Vulnerable Library)

Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262

Found in base branch: master

Vulnerability Details

Spring Framework MVC applications can be vulnerable to a “Path Traversal Vulnerability” when deployed on a non-compliant Servlet container.
An application can be vulnerable when all the following are true:

Publish Date: 2025-08-18

URL: CVE-2025-41242

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2025-08-18

Fix Resolution: https://github.com/spring-projects/spring-framework.git - v6.2.10,org.springframework:spring-beans:6.2.10

Step up your Open Source Security Game with Mend here

CVE-2026-9828

Vulnerable Library - logback-core-1.4.14.jar

logback-core module

Library home page: http://www.qos.ch

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.14/logback-core-1.4.14.jar

Dependency Hierarchy:

  • spring-boot-starter-thymeleaf-3.2.5.jar (Root Library)
    • spring-boot-starter-3.2.5.jar
      • spring-boot-starter-logging-3.2.5.jar
        • logback-classic-1.4.14.jar
          • logback-core-1.4.14.jar (Vulnerable Library)

Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262

Found in base branch: master

Vulnerability Details

Deserialization of untrusted data vulnerability in QOS.CH Sarl logback logback-core (HardenedObjectInputStream (logback-core) modules) allows Object Injection albeit heavily restricted.
More precisely, an attacker able to influence serialized data sent to
SimpleSocketServer or SimpleSSLSocketServer can instantiate objects from
classes in the java.lang and java.util packages that are not explicitly
blocked.
Although deserialization is heavily restricted by HardenedObjectInputStream and no
practical way to achieve remote code execution or significant privilege
escalation has been identified, this issue constitutes a bypass of the
intended security restrictions.
This issue affects logback: through 1.5.32 inclusive.

Publish Date: 2026-05-28

URL: CVE-2026-9828

CVSS 3 Score Details (5.4)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://logback.qos.ch/news.html#⁠1.5.33

Release Date: 2026-05-28

Fix Resolution: ch.qos.logback:logback-core:1.5.33

Step up your Open Source Security Game with Mend here

CVE-2026-10532

Vulnerable Library - logback-core-1.4.14.jar

logback-core module

Library home page: http://www.qos.ch

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.14/logback-core-1.4.14.jar

Dependency Hierarchy:

  • spring-boot-starter-thymeleaf-3.2.5.jar (Root Library)
    • spring-boot-starter-3.2.5.jar
      • spring-boot-starter-logging-3.2.5.jar
        • logback-classic-1.4.14.jar
          • logback-core-1.4.14.jar (Vulnerable Library)

Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262

Found in base branch: master

Vulnerability Details

Deserialization of untrusted data vulnerability in QOS.CH Sarl logback logback-core (HardenedObjectInputStream (logback-core) modules) allows Object Injection, albeit heavily restricted.
More precisely, an attacker able to influence serialized data sent to
SimpleSocketServer or SimpleSSLSocketServer can instantiate Proxy objects.
Although deserialization is heavily restricted by HardenedObjectInputStream and no
practical way to achieve remote code execution or significant privilege
escalation has been identified, this issue constitutes a bypass of the
intended security restrictions.
This issue affects logback: through 1.5.33 inclusive.

Publish Date: 2026-06-01

URL: CVE-2026-10532

CVSS 3 Score Details (5.4)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-06-01

Fix Resolution: https://github.com/qos-ch/logback.git - v_1.5.34

Step up your Open Source Security Game with Mend here

CVE-2026-41851

Vulnerable Library - spring-expression-6.1.6.jar

Spring Expression Language (SpEL)

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.1.6/spring-expression-6.1.6.jar

Dependency Hierarchy:

  • spring-boot-starter-thymeleaf-3.2.5.jar (Root Library)
    • spring-boot-starter-3.2.5.jar
      • spring-boot-3.2.5.jar
        • spring-context-6.1.6.jar
          • spring-expression-6.1.6.jar (Vulnerable Library)

Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262

Found in base branch: master

Vulnerability Details

Applications which accept user-supplied Spring Expression Language (SpEL) expressions may be vulnerable to a Denial of Service (DoS) attack if the evaluation of a SpEL expression triggers unbounded cache growth.
Affected versions:
Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.

Publish Date: 2026-06-09

URL: CVE-2026-41851

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2026-41851

Release Date: 2026-06-09

Fix Resolution: org.springframework:spring-expression:6.2.19,https://github.com/spring-projects/spring-framework.git - v6.2.19,https://github.com/spring-projects/spring-framework.git - v7.0.8,org.springframework:spring-expression:7.0.8

Step up your Open Source Security Game with Mend here

CVE-2026-1225

Vulnerable Library - logback-core-1.4.14.jar

logback-core module

Library home page: http://www.qos.ch

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.14/logback-core-1.4.14.jar

Dependency Hierarchy:

  • spring-boot-starter-thymeleaf-3.2.5.jar (Root Library)
    • spring-boot-starter-3.2.5.jar
      • spring-boot-starter-logging-3.2.5.jar
        • logback-classic-1.4.14.jar
          • logback-core-1.4.14.jar (Vulnerable Library)

Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262

Found in base branch: master

Vulnerability Details

ACE vulnerability in configuration file processing by QOS.CH logback-core up to and including version 1.5.24 in Java applications, allows an attacker to instantiate classes already present on the class path by compromising an existing logback configuration file.
The instantiation of a potentially malicious Java class requires that said class is present on the user's class-path. In addition, the attacker must have write access to a
configuration file. However, after successful instantiation, the instance is very likely to be discarded with no further ado.

Publish Date: 2026-01-22

URL: CVE-2026-1225

CVSS 3 Score Details (5.0)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: High
    • Privileges Required: High
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-01-22

Fix Resolution: https://github.com/qos-ch/logback.git - v_1.5.25

Step up your Open Source Security Game with Mend here

CVE-2024-12801

Vulnerable Library - logback-core-1.4.14.jar

logback-core module

Library home page: http://www.qos.ch

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.14/logback-core-1.4.14.jar

Dependency Hierarchy:

  • spring-boot-starter-thymeleaf-3.2.5.jar (Root Library)
    • spring-boot-starter-3.2.5.jar
      • spring-boot-starter-logging-3.2.5.jar
        • logback-classic-1.4.14.jar
          • logback-core-1.4.14.jar (Vulnerable Library)

Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262

Found in base branch: master

Vulnerability Details

Server-Side Request Forgery (SSRF) in SaxEventRecorder by QOS.CH logback version 0.1 to 1.3.14 and 1.4.0 to 1.5.12  on the Java platform, allows an attacker to
forge requests by compromising logback configuration files in XML.
The attacks involves the modification of DOCTYPE declaration in  XML configuration files.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2024-12-19

URL: CVE-2024-12801

CVSS 3 Score Details (4.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-6v67-2wr5-gvf4

Release Date: 2024-12-19

Fix Resolution (ch.qos.logback:logback-core): 1.5.13

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-thymeleaf): 3.3.8

Step up your Open Source Security Game with Mend here

CVE-2026-41852

Vulnerable Library - spring-expression-6.1.6.jar

Spring Expression Language (SpEL)

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.1.6/spring-expression-6.1.6.jar

Dependency Hierarchy:

  • spring-boot-starter-thymeleaf-3.2.5.jar (Root Library)
    • spring-boot-starter-3.2.5.jar
      • spring-boot-3.2.5.jar
        • spring-context-6.1.6.jar
          • spring-expression-6.1.6.jar (Vulnerable Library)

Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262

Found in base branch: master

Vulnerability Details

A vulnerability in Spring Expression Language (SpEL) evaluation logic allows for arbitrary zero-argument method invocation, even within restricted or read-only contexts, which may allow an attacker to invoke unintended application logic.
Affected versions:
Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.

Publish Date: 2026-06-09

URL: CVE-2026-41852

CVSS 3 Score Details (3.7)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2026-41852

Release Date: 2026-06-09

Fix Resolution: org.springframework:spring-expression:6.2.19,https://github.com/spring-projects/spring-framework.git - v7.0.8,org.springframework:spring-expression:7.0.8,https://github.com/spring-projects/spring-framework.git - v6.2.19

Step up your Open Source Security Game with Mend here

CVE-2026-41848

Vulnerable Library - spring-core-6.1.6.jar

Spring Core

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-core/6.1.6/spring-core-6.1.6.jar

Dependency Hierarchy:

  • spring-boot-starter-thymeleaf-3.2.5.jar (Root Library)
    • spring-boot-starter-3.2.5.jar
      • spring-boot-3.2.5.jar
        • spring-core-6.1.6.jar (Vulnerable Library)

Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262

Found in base branch: master

Vulnerability Details

Applications may be vulnerable to a Regular Expression Denial of Service (ReDoS) attack if an attacker is able to provide a pattern which is then directly or indirectly supplied to one of the following methods in AntPathMatcher: match(String pattern, String path), matchStart(String pattern, String path), extractUriTemplateVariables(String pattern, String path).
Affected versions:
Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.

Publish Date: 2026-06-09

URL: CVE-2026-41848

CVSS 3 Score Details (3.7)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2026-41848

Release Date: 2026-06-09

Fix Resolution: org.springframework:spring-core:7.0.8,https://github.com/spring-projects/spring-framework.git - v6.2.19,https://github.com/spring-projects/spring-framework.git - v7.0.8,org.springframework:spring-core:6.2.19

Step up your Open Source Security Game with Mend here

CVE-2025-22233

Vulnerable Library - spring-context-6.1.6.jar

Spring Context

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-context/6.1.6/spring-context-6.1.6.jar

Dependency Hierarchy:

  • spring-boot-starter-thymeleaf-3.2.5.jar (Root Library)
    • spring-boot-starter-3.2.5.jar
      • spring-boot-3.2.5.jar
        • spring-context-6.1.6.jar (Vulnerable Library)

Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262

Found in base branch: master

Vulnerability Details

CVE-2024-38820 ensured Locale-independent, lowercase conversion for both the configured disallowedFields patterns and for request parameter names. However, there are still cases where it is possible to bypass the disallowedFields checks.
Affected Spring Products and Versions
Spring Framework:

  • 6.2.0 - 6.2.6
  • 6.1.0 - 6.1.19
  • 6.0.0 - 6.0.27
  • 5.3.0 - 5.3.42
  • Older, unsupported versions are also affected
    Mitigation
    Users of affected versions should upgrade to the corresponding fixed version.
    Affected version(s)Fix Version Availability 6.2.x
    6.2.7
    OSS6.1.x
    6.1.20
    OSS6.0.x
    6.0.28
    Commercial https://enterprise.spring.io/ 5.3.x
    5.3.43
    Commercial https://enterprise.spring.io/
    No further mitigation steps are necessary.
    Generally, we recommend using a dedicated model object with properties only for data binding, or using constructor binding since constructor arguments explicitly declare what to bind together with turning off setter binding through the declarativeBinding flag. See the Model Design section in the reference documentation.
    For setting binding, prefer the use of allowedFields (an explicit list) over disallowedFields.
    Credit
    This issue was responsibly reported by the TERASOLUNA Framework Development Team from NTT DATA Group Corporation.

Publish Date: 2025-05-16

URL: CVE-2025-22233

CVSS 3 Score Details (3.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2025-22233

Release Date: 2025-05-16

Fix Resolution (org.springframework:spring-context): 6.1.20

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-thymeleaf): 3.3.12

Step up your Open Source Security Game with Mend here

CVE-2024-38820

Vulnerable Library - spring-context-6.1.6.jar

Spring Context

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-context/6.1.6/spring-context-6.1.6.jar

Dependency Hierarchy:

  • spring-boot-starter-thymeleaf-3.2.5.jar (Root Library)
    • spring-boot-starter-3.2.5.jar
      • spring-boot-3.2.5.jar
        • spring-context-6.1.6.jar (Vulnerable Library)

Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262

Found in base branch: master

Vulnerability Details

The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected.

Publish Date: 2024-10-18

URL: CVE-2024-38820

CVSS 3 Score Details (3.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2024-38820

Release Date: 2024-10-18

Fix Resolution (org.springframework:spring-context): 6.1.14

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-thymeleaf): 3.2.11

Step up your Open Source Security Game with Mend here

Metadata

Metadata

Assignees

No one assigned

    Labels

    Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions