CVE Catalog

CVE-2026-41851

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.36%

28th percentile - higher than 28% of all known CVEs

Summary

Applications that accept user-supplied SpEL expressions may be vulnerable to a DoS attack if expression evaluation triggers unbounded cache growth.

Risk Assessment

An attacker can overload the server, causing service unavailability for legitimate users.

Recommendation

Update Spring Framework to version 7.0.8, 6.2.19, 6.1.28, or 5.3.49, depending on your release line.

Original NVD description (English source)

Applications which accept user-supplied Spring Expression Language (SpEL) expressions may be vulnerable to a Denial of Service (DoS) attack if the evaluation of a SpEL expression triggers unbounded cache growth. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS