CVE-2026-41840
MediumCVSS 5.9Exploitation Probability (EPSS)
Low risk16th percentile - higher than 16% of all known CVEs
Summary
Spring WebFlux applications are vulnerable to Denial of Service (DoS) attacks when processing multipart requests. Affected versions: Spring Framework 7.0.0 through 7.0.7, 6.2.0 through 6.2.18, 6.1.0 through 6.1.27, 5.3.0 through 5.3.48.
Risk Assessment
An attacker can send a specially crafted multipart request, causing excessive resource consumption and making the application unavailable.
Recommendation
It is recommended to immediately update Spring Framework to version 7.0.8, 6.2.19, 6.1.28, or 5.3.49, depending on the branch used.
Original NVD description (English source)
Spring WebFlux applications are vulnerable to Denial of Service (DoS) attacks when processing multipart requests. Affected versions: Spring Framework 7.0.0 through 7.0.7, 6.2.0 through 6.2.18, 6.1.0 through 6.1.27, 5.3.0 through 5.3.48.

