CVE Catalog

CVE-2026-41717

HighCVSS 8.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.33%

25th percentile - higher than 25% of all known CVEs

Summary

A SpEL injection vulnerability in Spring Data MongoDB occurs during parameter binding in @Query annotated repository methods using a capture-all placeholder. Attackers can inject malicious SpEL expressions, potentially leading to remote code execution or data compromise.

Risk Assessment

The risk includes potential remote code execution, data exfiltration, or privilege escalation, allowing an attacker to fully compromise the application server.

Recommendation

Upgrade Spring Data MongoDB to version 5.0.6 or later (for 5.0.x branch) and apply corresponding patches for other affected versions. Avoid using capture-all placeholders in @Query methods without proper input validation.

Original NVD description (English source)

Spring Data MongoDB contains a SpEL (Spring Expression Language) expression injection vulnerability. The issue occurs during parameter binding when a user-defined repository query method is annotated with @Query and utilizes a capture-all placeholder. Affected versions: Spring Data MongoDB 5.0.0 through 5.0.5; 4.5.0 through 4.5.11; 4.4.0 through 4.4.14; 4.3.0 through 4.3.16; 4.2.0 through 4.2.15; 4.1.0 through 4.1.14; 4.0.0 through 4.0.15; 3.4.0 through 3.4.19.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS