CVE-2026-41849
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk16th percentile - higher than 16% of all known CVEs
Summary
CVE-2026-41849 describes an integer overflow vulnerability in the evaluation logic of the Spring Expression Language (SpEL). An attacker can exploit this by supplying a specially crafted SpEL expression that triggers excessive resource consumption, resulting in a Denial of Service (DoS).
Risk Assessment
The organization may experience a denial of service, leading to application downtime and potential financial losses.
Recommendation
It is recommended to update the Spring Framework to a version newer than 5.3.48 to mitigate this vulnerability.
Original NVD description (English source)
An integer overflow vulnerability exists in the evaluation logic of the Spring Expression Language (SpEL). An attacker can exploit this by supplying a specially crafted SpEL expression that triggers excessive resource consumption, resulting in a Denial of Service (DoS). Affected versions: Spring Framework 5.3.0 through 5.3.48.

