CVE-2026-41721
MediumCVSS 5.9Exploitation Probability (EPSS)
Low risk25th percentile - higher than 25% of all known CVEs
Summary
A vulnerability in Spring Data Commons can lead to a Denial of Service (DoS) condition when Spring Data Web Support is enabled with a Controller method using @ProjectedPayload. An attacker can send a crafted HTTP request causing excessive memory allocation.
Risk Assessment
The organization risks application downtime due to memory exhaustion, potentially leading to service unavailability and financial losses.
Recommendation
Immediately upgrade Spring Data Commons to version 4.0.6 or later (for the 4.0.x branch) and corresponding fixed versions for other branches as per vendor advisory.
Original NVD description (English source)
Spring Data Commons contains a vulnerability that can lead to a Denial of Service (DoS) condition if Spring Data Web Support is enabled in conjunction with a Controller method using @ProjectedPayload, when an attacker sends a specially crafted HTTP request that causes the application to allocate lots of memory. Affected versions: Spring Data Commons 4.0.0 through 4.0.5; 3.5.0 through 3.5.11; 3.4.0 through 3.4.14; 3.3.0 through 3.3.16; 3.2.0 through 3.2.15; 3.1.0 through 3.1.14; 3.0.0 through 3.0.15; 2.7.0 through 2.7.19.

