CVE-2026-41851
MediumCVSS 5.3Exploitation Probability (EPSS)
Low risk28th percentile - higher than 28% of all known CVEs
Summary
Applications that accept user-supplied SpEL expressions may be vulnerable to a DoS attack if expression evaluation triggers unbounded cache growth.
Risk Assessment
An attacker can overload the server, causing service unavailability for legitimate users.
Recommendation
Update Spring Framework to version 7.0.8, 6.2.19, 6.1.28, or 5.3.49, depending on your release line.
Original NVD description (English source)
Applications which accept user-supplied Spring Expression Language (SpEL) expressions may be vulnerable to a Denial of Service (DoS) attack if the evaluation of a SpEL expression triggers unbounded cache growth. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.

