CVE-2026-41852
3.7 LOWA vulnerability in Spring Expression Language (SpEL) evaluation logic allows for arbitrary zero-argument method invocation, even within r...
Published: 2026-06-09 · Last updated: 2026-06-09
Severity and scoring
- CVSS
- 3.7 LOW
- Vector
- CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
- CWE
- CWE-863
Description
A vulnerability in Spring Expression Language (SpEL) evaluation logic allows for arbitrary zero-argument method invocation, even within restricted or read-only contexts, which may allow an attacker to invoke unintended application logic. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
Source: NVD
References
Related CVEs
Same CWE
- CVE-2026-24724 — An incorrect authorization vulnerability has been reported to affect File Station 6
- CVE-2026-48303 — Adobe Campaign Classic (ACC) versions 7.4.3 build 9394 and earlier are affected by an Incorrect Authorization vulnerability that could re... (10.0 CRITICAL)
- CVE-2026-47929 — ColdFusion versions 2023.19, 2025.8 and earlier are affected by an Incorrect Authorization vulnerability that could result in arbitrary c... (8.4 HIGH)
- CVE-2026-47910 — Dreamweaver Desktop versions 21.7 and earlier are affected by an Incorrect Authorization vulnerability that could lead to arbitrary file ... (6.3 MEDIUM)
- CVE-2026-48507 — Snipe-IT is an IT asset/license management system (7.1 HIGH)