CVE Catalog

CVE-2026-41849

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.05%

16th percentile - higher than 16% of all known CVEs

Summary

CVE-2026-41849 describes an integer overflow vulnerability in the evaluation logic of the Spring Expression Language (SpEL). An attacker can exploit this by supplying a specially crafted SpEL expression that triggers excessive resource consumption, resulting in a Denial of Service (DoS).

Risk Assessment

The organization may experience a denial of service, leading to application downtime and potential financial losses.

Recommendation

It is recommended to update the Spring Framework to a version newer than 5.3.48 to mitigate this vulnerability.

Original NVD description (English source)

An integer overflow vulnerability exists in the evaluation logic of the Spring Expression Language (SpEL). An attacker can exploit this by supplying a specially crafted SpEL expression that triggers excessive resource consumption, resulting in a Denial of Service (DoS). Affected versions: Spring Framework 5.3.0 through 5.3.48.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS