CVE-2026-41716
7.5 HIGHSpring Data's internal property-lookup cache accepts and permanently retains attacker-supplied strings as cache keys, allowing heap exhau...
Published: 2026-06-10 · Last updated: 2026-06-10
Severity and scoring
- CVSS
- 7.5 HIGH
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- CWE
- CWE-770
Description
Spring Data's internal property-lookup cache accepts and permanently retains attacker-supplied strings as cache keys, allowing heap exhaustion through repeated requests. Affected versions: Spring Data Commons 2.7.0 through 2.7.19; 3.3.0 through 3.3.16; 3.4.0 through 3.4.14; 3.5.0 through 3.5.11; 4.0.0 through 4.0.5.
Source: NVD
References
Related CVEs
Same CWE
- CVE-2026-24720 — An allocation of resources without limits or throttling vulnerability has been reported to affect File Station 6
- CVE-2026-41726 — When an application opts into DelegatingDeserializer, a producer can grow the consumer's heap without bound by sending records with uniqu... (6.5 MEDIUM)
- CVE-2026-28237 — Unrestricted resource allocation in AMD uProf may be exploitable to consume excessive system resources, potentially leading to a loss of ...
- CVE-2026-49955 — Hermes WebUI before version 0.51.270 contains a resource exhaustion vulnerability that allows unauthenticated remote attackers to degrade... (5.3 MEDIUM)
- CVE-2026-42570 — Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job (7.5 HIGH)