CVE Catalog

CVE-2026-41844

MediumCVSS 4.2
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.13%

3th percentile - higher than 3% of all known CVEs

Summary

A vulnerability in Spring MVC and Spring WebFlux allows an attacker to redirect a user to an arbitrary external host via a crafted link with the 'redirect:' prefix, when the application configures a mapping for '/**' without explicitly specifying a view name.

Risk Assessment

An attacker can exploit this flaw for phishing attacks or redirecting users to malicious sites, potentially leading to data theft or malware infection.

Recommendation

Immediately update Spring Framework to version 7.0.8, 6.2.19, 6.1.28, or 5.3.49, depending on the branch used, and avoid configuring '/**' mapping without an explicit view name.

Original NVD description (English source)

A Spring MVC or Spring WebFlux application which configures a mapping for "/**" where the view name is not explicitly specified allows an attacker to craft a link resulting in a 302 redirect to an arbitrary external host via the redirect: prefix. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS