Ghostwire

CVE-2026-41007: Spring HATEOAS maintains an unbounded static cache of StringLinkRelation instances keyed on attacker-supplied...

HIGH CVSS 7.5

Published: June 9, 2026 | Last Modified: June 9, 2026

Description

Spring HATEOAS maintains an unbounded static cache of StringLinkRelation instances keyed on attacker-supplied strings. Affected versions: Spring HATEOAS 1.5.0 through 1.5.6; 2.3.0 through 2.3.4; 2.4.0 through 2.4.1; 2.5.0 through 2.5.2; 3.0.0 through 3.0.3.

Ghostwire Analysis — What This Means Practically

High CVSS score indicates significant risk — exploitation could lead to substantial data exposure or system compromise.

This analysis is generated by Ghostwire from NVD, CISA KEV, EPSS, and open-source intelligence data. Verify findings through primary sources before acting.

Security Coverage (2 articles)

References

www.tenable.com/cve/CVE-2026-41007
www.cnnvd.org.cn/home/globalSearch?keyword=CVE-2026-41007
spring.io/security/cve-2026-41007