Skip to content

spring-boot-starter-web-4.0.1.jar: 26 vulnerabilities (highest severity is: 9.1) #36

Open
Open
spring-boot-starter-web-4.0.1.jar: 26 vulnerabilities (highest severity is: 9.1)#36
Labels
Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend
@mend-bolt-for-github

Description

@mend-bolt-for-github
mend-bolt-for-github
bot
opened on Feb 18, 2026
Vulnerable Library - spring-boot-starter-web-4.0.1.jar

Path to dependency file: /build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework/spring-webmvc/7.0.2/ed0b3b7724e8cb4b47976eda5e862b3dd1ed871b/spring-webmvc-7.0.2.jar

Vulnerabilities

Vulnerability Severity CVSS Dependency Type Fixed in (spring-boot-starter-web version) Remediation Possible**
CVE-2026-43512 Critical 9.1 tomcat-embed-core-11.0.15.jar Transitive N/A*
CVE-2026-40976 Critical 9.1 spring-boot-4.0.1.jar Transitive N/A*
CVE-2026-29145 Critical 9.1 tomcat-embed-core-11.0.15.jar Transitive 4.0.5
WS-2026-0003 High 7.5 jackson-core-3.0.3.jar Transitive 4.0.4
CVE-2026-41284 High 7.5 tomcat-embed-core-11.0.15.jar Transitive N/A*
CVE-2026-34487 High 7.5 tomcat-embed-core-11.0.15.jar Transitive 4.0.6
CVE-2026-34483 High 7.5 tomcat-embed-core-11.0.15.jar Transitive 4.0.6
CVE-2026-29146 High 7.5 tomcat-embed-core-11.0.15.jar Transitive 4.0.5
CVE-2026-29062 High 7.5 jackson-core-3.0.3.jar Transitive N/A*
CVE-2026-24880 High 7.5 tomcat-embed-core-11.0.15.jar Transitive 4.0.5
CVE-2026-24734 High 7.4 tomcat-embed-core-11.0.15.jar Transitive 4.0.3
CVE-2026-42498 High 7.3 tomcat-embed-core-11.0.15.jar Transitive N/A*
CVE-2026-40973 High 7.0 spring-boot-4.0.1.jar Transitive 4.0.6
CVE-2026-41293 Medium 6.5 tomcat-embed-core-11.0.15.jar Transitive N/A*
CVE-2026-22740 Medium 6.5 spring-web-7.0.2.jar Transitive 4.0.6
CVE-2026-25854 Medium 6.1 tomcat-embed-core-11.0.15.jar Transitive 4.0.5
CVE-2026-22737 Medium 5.9 spring-webmvc-7.0.2.jar Transitive N/A*
CVE-2026-43513 Medium 5.3 tomcat-embed-core-11.0.15.jar Transitive N/A*
CVE-2026-32990 Medium 5.3 tomcat-embed-core-11.0.15.jar Transitive 4.0.5
CVE-2026-22745 Medium 5.3 spring-webmvc-7.0.2.jar Transitive 4.0.6
CVE-2026-43515 Medium 4.8 tomcat-embed-core-11.0.15.jar Transitive N/A*
CVE-2026-40975 Medium 4.8 spring-boot-4.0.1.jar Transitive 4.0.6
CVE-2026-40977 Medium 4.7 spring-boot-4.0.1.jar Transitive 4.0.6
CVE-2026-43514 Low 3.7 tomcat-embed-core-11.0.15.jar Transitive N/A*
CVE-2026-22741 Low 3.1 spring-webmvc-7.0.2.jar Transitive 4.0.6
CVE-2026-22735 Low 2.6 detected in multiple dependencies Transitive 4.0.4

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

Partial details (23 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2026-43512

Vulnerable Library - tomcat-embed-core-11.0.15.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/11.0.15/aa20506537e3efa61afd6b57d79f9da6a55f37ae/tomcat-embed-core-11.0.15.jar

Dependency Hierarchy:

  • spring-boot-starter-web-4.0.1.jar (Root Library)
    • spring-boot-starter-tomcat-4.0.1.jar
      • spring-boot-tomcat-4.0.1.jar
        • tomcat-embed-core-11.0.15.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

DEPRECATED: Authentication Bypass Issues vulnerability in digest authentication in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from before 7.0.0.
Older unsupported versions any also be affect
Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.

Publish Date: 2026-05-12

URL: CVE-2026-43512

CVSS 3 Score Details (9.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-05-12

Fix Resolution: org.apache.tomcat.embed:tomcat-embed-core:10.1.55,org.apache.tomcat:tomcat-catalina:11.0.22,org.apache.tomcat.embed:tomcat-embed-core:11.0.22,org.apache.tomcat:tomcat-catalina:9.0.118,org.apache.tomcat:tomcat-catalina:10.1.55,https://github.com/apache/tomcat.git - 10.1.55,https://github.com/apache/tomcat.git - 11.0.22,org.apache.tomcat.embed:tomcat-embed-core:9.0.118,https://github.com/apache/tomcat.git - 9.0.118

Step up your Open Source Security Game with Mend here

CVE-2026-40976

Vulnerable Library - spring-boot-4.0.1.jar

Spring Boot

Library home page: https://spring.io/projects/spring-boot

Path to dependency file: /build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework.boot/spring-boot/4.0.1/2c20ae598c14dd78d3098aafc8a799afbdf8e69a/spring-boot-4.0.1.jar

Dependency Hierarchy:

  • spring-boot-starter-web-4.0.1.jar (Root Library)
    • spring-boot-http-converter-4.0.1.jar
      • spring-boot-4.0.1.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In certain circumstances, Spring Boot's default web security is ineffective allowing unauthorized access to all endpoints. For an application to be vulnerable, it must: be a servlet-based web application; have no Spring Security configuration of its own and rely on the default web security filter chain; depend on spring-boot-actuator-autoconfigure; not depend on spring-boot-health. If any of the above does not apply, the application is not vulnerable.
Affected: Spring Boot 4.0.0–4.0.5; upgrade to 4.0.6 or later per vendor advisory.

Publish Date: 2026-04-27

URL: CVE-2026-40976

CVSS 3 Score Details (9.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-04-27

Fix Resolution: org.springframework.boot:spring-boot-security:4.0.6,https://github.com/spring-projects/spring-boot.git - v4.0.6

Step up your Open Source Security Game with Mend here

CVE-2026-29145

Vulnerable Library - tomcat-embed-core-11.0.15.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/11.0.15/aa20506537e3efa61afd6b57d79f9da6a55f37ae/tomcat-embed-core-11.0.15.jar

Dependency Hierarchy:

  • spring-boot-starter-web-4.0.1.jar (Root Library)
    • spring-boot-starter-tomcat-4.0.1.jar
      • spring-boot-tomcat-4.0.1.jar
        • tomcat-embed-core-11.0.15.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled vulnerability in Apache Tomcat, Apache Tomcat Native.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M7 through 10.1.52, from 9.0.83 through 9.0.115; Apache Tomcat Native: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39, from 1.3.0 through 1.3.6, from 2.0.0 through 2.0.13.
Users are recommended to upgrade to version Tomcat Native 1.3.7 or 2.0.14 and Tomcat 11.0.20, 10.1.53 and 9.0.116, which fix the issue.

Publish Date: 2026-04-09

URL: CVE-2026-29145

CVSS 3 Score Details (9.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-04-09

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 11.0.20

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 4.0.5

Step up your Open Source Security Game with Mend here

WS-2026-0003

Vulnerable Library - jackson-core-3.0.3.jar

Core Jackson processing abstractions (aka Streaming API), implementation for JSON

Library home page: https://github.com/FasterXML/jackson-core

Path to dependency file: /build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/tools.jackson.core/jackson-core/3.0.3/d208ec73d6a17667a0462cfc3237076a087bc936/jackson-core-3.0.3.jar

Dependency Hierarchy:

  • spring-boot-starter-web-4.0.1.jar (Root Library)
    • spring-boot-starter-jackson-4.0.1.jar
      • spring-boot-jackson-4.0.1.jar
        • jackson-databind-3.0.3.jar
          • jackson-core-3.0.3.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The non-blocking (async) JSON parser in jackson-core bypasses the maxNumberLength constraint (default: 1000 characters) defined in StreamReadConstraints. This allows an attacker to send JSON with arbitrarily long numbers through the async parser API, leading to excessive memory allocation and potential CPU exhaustion, resulting in a Denial of Service (DoS).

The standard synchronous parser correctly enforces this limit, but the async parser fails to do so, creating an inconsistent enforcement policy.

Publish Date: 2026-03-02

URL: WS-2026-0003

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-72hv-8253-57qq

Release Date: 2026-03-02

Fix Resolution (tools.jackson.core:jackson-core): 3.1.0

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 4.0.4

Step up your Open Source Security Game with Mend here

CVE-2026-41284

Vulnerable Library - tomcat-embed-core-11.0.15.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/11.0.15/aa20506537e3efa61afd6b57d79f9da6a55f37ae/tomcat-embed-core-11.0.15.jar

Dependency Hierarchy:

  • spring-boot-starter-web-4.0.1.jar (Root Library)
    • spring-boot-starter-tomcat-4.0.1.jar
      • spring-boot-tomcat-4.0.1.jar
        • tomcat-embed-core-11.0.15.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117.
Older, unsupported versions may also be affected.
Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.

Publish Date: 2026-05-12

URL: CVE-2026-41284

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-05-12

Fix Resolution: https://github.com/apache/tomcat.git - 10.1.55,https://github.com/apache/tomcat.git - 11.0.22,org.apache.tomcat.embed:tomcat-embed-core:11.0.22,org.apache.tomcat.embed:tomcat-embed-core:10.1.55,https://github.com/apache/tomcat.git - 9.0.118,org.apache.tomcat.embed:tomcat-embed-core:9.0.118

Step up your Open Source Security Game with Mend here

CVE-2026-34487

Vulnerable Library - tomcat-embed-core-11.0.15.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/11.0.15/aa20506537e3efa61afd6b57d79f9da6a55f37ae/tomcat-embed-core-11.0.15.jar

Dependency Hierarchy:

  • spring-boot-starter-web-4.0.1.jar (Root Library)
    • spring-boot-starter-tomcat-4.0.1.jar
      • spring-boot-tomcat-4.0.1.jar
        • tomcat-embed-core-11.0.15.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Insertion of Sensitive Information into Log File vulnerability in the cloud membership for clustering component of Apache Tomcat exposed the Kubernetes bearer token.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.13 through 9.0.116.
Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue.

Publish Date: 2026-04-09

URL: CVE-2026-34487

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-04-09

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 11.0.21

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 4.0.6

Step up your Open Source Security Game with Mend here

CVE-2026-34483

Vulnerable Library - tomcat-embed-core-11.0.15.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/11.0.15/aa20506537e3efa61afd6b57d79f9da6a55f37ae/tomcat-embed-core-11.0.15.jar

Dependency Hierarchy:

  • spring-boot-starter-web-4.0.1.jar (Root Library)
    • spring-boot-starter-tomcat-4.0.1.jar
      • spring-boot-tomcat-4.0.1.jar
        • tomcat-embed-core-11.0.15.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve component of Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.40 through 9.0.116.
Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117 , which fix the issue.

Publish Date: 2026-04-09

URL: CVE-2026-34483

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-04-09

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 11.0.21

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 4.0.6

Step up your Open Source Security Game with Mend here

CVE-2026-29146

Vulnerable Library - tomcat-embed-core-11.0.15.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/11.0.15/aa20506537e3efa61afd6b57d79f9da6a55f37ae/tomcat-embed-core-11.0.15.jar

Dependency Hierarchy:

  • spring-boot-starter-web-4.0.1.jar (Root Library)
    • spring-boot-starter-tomcat-4.0.1.jar
      • spring-boot-tomcat-4.0.1.jar
        • tomcat-embed-core-11.0.15.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from 9.0.13 through 9..115, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109.
Users are recommended to upgrade to version 11.0.19, 10.1.53 and 9.0.116, which fixes the issue.

Publish Date: 2026-04-09

URL: CVE-2026-29146

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-04-09

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 11.0.19

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 4.0.5

Step up your Open Source Security Game with Mend here

CVE-2026-29062

Vulnerable Library - jackson-core-3.0.3.jar

Core Jackson processing abstractions (aka Streaming API), implementation for JSON

Library home page: https://github.com/FasterXML/jackson-core

Path to dependency file: /build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/tools.jackson.core/jackson-core/3.0.3/d208ec73d6a17667a0462cfc3237076a087bc936/jackson-core-3.0.3.jar

Dependency Hierarchy:

  • spring-boot-starter-web-4.0.1.jar (Root Library)
    • spring-boot-starter-jackson-4.0.1.jar
      • spring-boot-jackson-4.0.1.jar
        • jackson-databind-3.0.3.jar
          • jackson-core-3.0.3.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. From version 3.0.0 to before version 3.1.0, the UTF8DataInputJsonParser, which is used when parsing from a java.io.DataInput source, bypasses the maxNestingDepth constraint (default: 500) defined in StreamReadConstraints. A similar issue was found in ReaderBasedJsonParser. This allows a user to supply a JSON document with excessive nesting, which can cause a StackOverflowError when the structure is processed, leading to a Denial of Service (DoS). This issue has been patched in version 3.1.0.

Publish Date: 2026-03-06

URL: CVE-2026-29062

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-03-06

Fix Resolution: https://github.com/FasterXML/jackson-core.git - jackson-core-3.1.0

Step up your Open Source Security Game with Mend here

CVE-2026-24880

Vulnerable Library - tomcat-embed-core-11.0.15.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/11.0.15/aa20506537e3efa61afd6b57d79f9da6a55f37ae/tomcat-embed-core-11.0.15.jar

Dependency Hierarchy:

  • spring-boot-starter-web-4.0.1.jar (Root Library)
    • spring-boot-starter-tomcat-4.0.1.jar
      • spring-boot-tomcat-4.0.1.jar
        • tomcat-embed-core-11.0.15.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in Apache Tomcat via invalid chunk extension.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M1 through 9.0.115, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109.
Other, unsupported versions may also be affected.
Users are recommended to upgrade to version 11.0.20, 10.1.52 or 9.0.116, which fix the issue.

Publish Date: 2026-04-09

URL: CVE-2026-24880

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-04-09

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 11.0.20

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 4.0.5

Step up your Open Source Security Game with Mend here

CVE-2026-24734

Vulnerable Library - tomcat-embed-core-11.0.15.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/11.0.15/aa20506537e3efa61afd6b57d79f9da6a55f37ae/tomcat-embed-core-11.0.15.jar

Dependency Hierarchy:

  • spring-boot-starter-web-4.0.1.jar (Root Library)
    • spring-boot-starter-tomcat-4.0.1.jar
      • spring-boot-tomcat-4.0.1.jar
        • tomcat-embed-core-11.0.15.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Improper Input Validation vulnerability in Apache Tomcat Native, Apache Tomcat.
When using an OCSP responder, Tomcat Native (and Tomcat's FFM port of the Tomcat Native code) did not complete verification or freshness checks on the OCSP response which could allow certificate revocation to be bypassed.
This issue affects Apache Tomcat Native:  from 1.3.0 through 1.3.4, from 2.0.0 through 2.0.11; Apache Tomcat: from 11.0.0-M1 through 11.0.17, from 10.1.0-M7 through 10.1.51, from 9.0.83 through 9.0.114.
The following versions were EOL at the time the CVE was created but are
known to be affected: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39. Older EOL versions are not affected.
Apache Tomcat Native users are recommended to upgrade to versions 1.3.5 or later or 2.0.12 or later, which fix the issue.
Apache Tomcat users are recommended to upgrade to versions 11.0.18 or later, 10.1.52 or later or 9.0.115 or later which fix the issue.

Publish Date: 2026-02-17

URL: CVE-2026-24734

CVSS 3 Score Details (7.4)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread/292dlmx3fz1888v6v16221kpozq56gml

Release Date: 2026-02-17

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 11.0.18

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 4.0.3

Step up your Open Source Security Game with Mend here

CVE-2026-42498

Vulnerable Library - tomcat-embed-core-11.0.15.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/11.0.15/aa20506537e3efa61afd6b57d79f9da6a55f37ae/tomcat-embed-core-11.0.15.jar

Dependency Hierarchy:

  • spring-boot-starter-web-4.0.1.jar (Root Library)
    • spring-boot-starter-tomcat-4.0.1.jar
      • spring-boot-tomcat-4.0.1.jar
        • tomcat-embed-core-11.0.15.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Exposure of HTTP Authentication Header to unexpected hosts during WebSocket authentication vulnerability in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.2 through 9.0.117, from 8.5.24 through 8.5.100, from 7.0.83 through 7.0.109.
Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118, which fix the issue.

Publish Date: 2026-05-12

URL: CVE-2026-42498

CVSS 3 Score Details (7.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-05-12

Fix Resolution: https://github.com/apache/tomcat.git - 10.1.55,https://github.com/apache/tomcat.git - 9.0.118,https://github.com/apache/tomcat.git - 11.0.22,org.apache.tomcat.embed:tomcat-embed-core:11.0.22,org.apache.tomcat.embed:tomcat-embed-core:9.0.118,org.apache.tomcat.embed:tomcat-embed-core:10.1.55

Step up your Open Source Security Game with Mend here

CVE-2026-40973

Vulnerable Library - spring-boot-4.0.1.jar

Spring Boot

Library home page: https://spring.io/projects/spring-boot

Path to dependency file: /build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework.boot/spring-boot/4.0.1/2c20ae598c14dd78d3098aafc8a799afbdf8e69a/spring-boot-4.0.1.jar

Dependency Hierarchy:

  • spring-boot-starter-web-4.0.1.jar (Root Library)
    • spring-boot-http-converter-4.0.1.jar
      • spring-boot-4.0.1.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

A local attacker on the same host as the application may be able to take control of the directory used by "ApplicationTemp". When "server.servlet.session.persistent" is set to "true" and the attack persists across application restarts, this may allow the attacker to read session information and hijack authenticated users or deploy a gadget chain and execute code as the application's user.
Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); predictable temp directory / "ApplicationTemp" ownership verification. Versions that are no longer supported are also affected per vendor advisory.

Publish Date: 2026-04-27

URL: CVE-2026-40973

CVSS 3 Score Details (7.0)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-04-27

Fix Resolution (org.springframework.boot:spring-boot): 4.0.6

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 4.0.6

Step up your Open Source Security Game with Mend here

CVE-2026-41293

Vulnerable Library - tomcat-embed-core-11.0.15.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/11.0.15/aa20506537e3efa61afd6b57d79f9da6a55f37ae/tomcat-embed-core-11.0.15.jar

Dependency Hierarchy:

  • spring-boot-starter-web-4.0.1.jar (Root Library)
    • spring-boot-starter-tomcat-4.0.1.jar
      • spring-boot-tomcat-4.0.1.jar
        • tomcat-embed-core-11.0.15.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Improper Input Validation vulnerability in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 10.0.0-M1 through 10.0.27.
Older, end of support versions may also be affected.
Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.

Publish Date: 2026-05-12

URL: CVE-2026-41293

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-05-12

Fix Resolution: org.apache.tomcat:tomcat-coyote:9.0.118,https://github.com/apache/tomcat.git - 11.0.22,org.apache.tomcat:tomcat-coyote:11.0.22,org.apache.tomcat:tomcat-coyote:10.1.55,https://github.com/apache/tomcat.git - 10.1.55,org.apache.tomcat.embed:tomcat-embed-core:11.0.22,https://github.com/apache/tomcat.git - 9.0.118,org.apache.tomcat.embed:tomcat-embed-core:10.1.55,org.apache.tomcat.embed:tomcat-embed-core:9.0.118

Step up your Open Source Security Game with Mend here

CVE-2026-22740

Vulnerable Library - spring-web-7.0.2.jar

Spring Web

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework/spring-web/7.0.2/fc1f3eec8e102b896b06c0082bf4d08486e091d3/spring-web-7.0.2.jar

Dependency Hierarchy:

  • spring-boot-starter-web-4.0.1.jar (Root Library)
    • spring-boot-http-converter-4.0.1.jar
      • spring-web-7.0.2.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

A WebFlux server application that processes multipart requests creates temp files for parts larger than 10 K. Under some circumstances, temp files may remain not deleted after the request is fully processed. This allows an attacker to consume available disk space.
Older, unsupported versions are also affected.

Publish Date: 2026-04-29

URL: CVE-2026-22740

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2026-22740

Release Date: 2026-04-18

Fix Resolution (org.springframework:spring-web): 7.0.7

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 4.0.6

Step up your Open Source Security Game with Mend here

CVE-2026-25854

Vulnerable Library - tomcat-embed-core-11.0.15.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/11.0.15/aa20506537e3efa61afd6b57d79f9da6a55f37ae/tomcat-embed-core-11.0.15.jar

Dependency Hierarchy:

  • spring-boot-starter-web-4.0.1.jar (Root Library)
    • spring-boot-starter-tomcat-4.0.1.jar
      • spring-boot-tomcat-4.0.1.jar
        • tomcat-embed-core-11.0.15.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Occasional URL redirection to untrusted Site ('Open Redirect') vulnerability in Apache Tomcat via the LoadBalancerDrainingValve.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M23 through 9.0.115, from 8.5.30 through 8.5.100.
Other, unsupported versions may also be affected
Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.

Publish Date: 2026-04-09

URL: CVE-2026-25854

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-04-09

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 11.0.20

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 4.0.5

Step up your Open Source Security Game with Mend here

CVE-2026-22737

Vulnerable Library - spring-webmvc-7.0.2.jar

Spring Web MVC

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework/spring-webmvc/7.0.2/ed0b3b7724e8cb4b47976eda5e862b3dd1ed871b/spring-webmvc-7.0.2.jar

Dependency Hierarchy:

  • spring-boot-starter-web-4.0.1.jar (Root Library)
    • spring-boot-webmvc-4.0.1.jar
      • spring-webmvc-7.0.2.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Use of Java scripting engine enabled (e.g. JRuby, Jython) template views in Spring MVC and Spring WebFlux applications can result in disclosure of content from files outside the configured locations for script template views. This issue affects Spring Framework: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46.

Publish Date: 2026-03-19

URL: CVE-2026-22737

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2026-22737

Release Date: 2026-03-19

Fix Resolution: org.springframework:spring-webflux:6.2.17,org.springframework:spring-webflux:7.0.6,https://github.com/spring-projects/spring-framework.git - v7.0.6

Step up your Open Source Security Game with Mend here

CVE-2026-43513

Vulnerable Library - tomcat-embed-core-11.0.15.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/11.0.15/aa20506537e3efa61afd6b57d79f9da6a55f37ae/tomcat-embed-core-11.0.15.jar

Dependency Hierarchy:

  • spring-boot-starter-web-4.0.1.jar (Root Library)
    • spring-boot-starter-tomcat-4.0.1.jar
      • spring-boot-tomcat-4.0.1.jar
        • tomcat-embed-core-11.0.15.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Improper Handling of Case Sensitivity vulnerability in LockOutRealm in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109.
Older unsupported versions may also be affected.
Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.

Publish Date: 2026-05-12

URL: CVE-2026-43513

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-05-12

Fix Resolution: org.apache.tomcat:tomcat-catalina:9.0.118,https://github.com/apache/tomcat.git - 10.1.55,org.apache.tomcat:tomcat-catalina:10.1.55,org.apache.tomcat.embed:tomcat-embed-core:10.1.55,https://github.com/apache/tomcat.git - 9.0.118,https://github.com/apache/tomcat.git - 11.0.22,org.apache.tomcat.embed:tomcat-embed-core:11.0.22,org.apache.tomcat.embed:tomcat-embed-core:9.0.118,org.apache.tomcat:tomcat-catalina:11.0.22

Step up your Open Source Security Game with Mend here

CVE-2026-32990

Vulnerable Library - tomcat-embed-core-11.0.15.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/11.0.15/aa20506537e3efa61afd6b57d79f9da6a55f37ae/tomcat-embed-core-11.0.15.jar

Dependency Hierarchy:

  • spring-boot-starter-web-4.0.1.jar (Root Library)
    • spring-boot-starter-tomcat-4.0.1.jar
      • spring-boot-tomcat-4.0.1.jar
        • tomcat-embed-core-11.0.15.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Improper Input Validation vulnerability in Apache Tomcat due to an incomplete fix of CVE-2025-66614.
This issue affects Apache Tomcat: from 11.0.15 through 11.0.19, from 10.1.50 through 10.1.52, from 9.0.113 through 9.0.115.
Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.

Publish Date: 2026-04-09

URL: CVE-2026-32990

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-04-09

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 11.0.20

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 4.0.5

Step up your Open Source Security Game with Mend here

CVE-2026-22745

Vulnerable Library - spring-webmvc-7.0.2.jar

Spring Web MVC

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework/spring-webmvc/7.0.2/ed0b3b7724e8cb4b47976eda5e862b3dd1ed871b/spring-webmvc-7.0.2.jar

Dependency Hierarchy:

  • spring-boot-starter-web-4.0.1.jar (Root Library)
    • spring-boot-webmvc-4.0.1.jar
      • spring-webmvc-7.0.2.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Spring MVC and WebFlux applications are vulnerable to Denial of Service attacks when resolving static resources.
More precisely, an application can be vulnerable when all the following are true:

  • the application is using Spring MVC or Spring WebFlux
  • the application is serving static resources from the file system
  • the application is running on a Windows platform
    When all the conditions above are met, the attacker can send malicious requests that are slow to resolve and that can keep HTTP connections in use. This can cause a Denial of Service on the application.

Publish Date: 2026-04-29

URL: CVE-2026-22745

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-04-29

Fix Resolution (org.springframework:spring-webmvc): 7.0.7

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 4.0.6

Step up your Open Source Security Game with Mend here

CVE-2026-43515

Vulnerable Library - tomcat-embed-core-11.0.15.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/11.0.15/aa20506537e3efa61afd6b57d79f9da6a55f37ae/tomcat-embed-core-11.0.15.jar

Dependency Hierarchy:

  • spring-boot-starter-web-4.0.1.jar (Root Library)
    • spring-boot-starter-tomcat-4.0.1.jar
      • spring-boot-tomcat-4.0.1.jar
        • tomcat-embed-core-11.0.15.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Improper Authorization vulnerability when multiple method constraints define an HTTP method for the same extension in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109.
Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.

Publish Date: 2026-05-12

URL: CVE-2026-43515

CVSS 3 Score Details (4.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-05-12

Fix Resolution: org.apache.tomcat:tomcat-catalina:11.0.22,https://github.com/apache/tomcat.git - 11.0.22,org.apache.tomcat:tomcat-catalina:10.1.55,org.apache.tomcat.embed:tomcat-embed-core:10.1.55,https://github.com/apache/tomcat.git - 10.1.55,org.apache.tomcat.embed:tomcat-embed-core:9.0.118,org.apache.tomcat:tomcat-catalina:9.0.118,org.apache.tomcat.embed:tomcat-embed-core:11.0.22,https://github.com/apache/tomcat.git - 9.0.118

Step up your Open Source Security Game with Mend here

CVE-2026-40975

Vulnerable Library - spring-boot-4.0.1.jar

Spring Boot

Library home page: https://spring.io/projects/spring-boot

Path to dependency file: /build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework.boot/spring-boot/4.0.1/2c20ae598c14dd78d3098aafc8a799afbdf8e69a/spring-boot-4.0.1.jar

Dependency Hierarchy:

  • spring-boot-starter-web-4.0.1.jar (Root Library)
    • spring-boot-http-converter-4.0.1.jar
      • spring-boot-4.0.1.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Values produced by ${random.value} are not suitable for use as secrets. ${random.uuid} is not affected. ${random.int} and ${random.long} should never be used for secrets as they are numeric values with a predictable range.
Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); random value property source / weak PRNG for secrets. Versions that are no longer supported are also affected per vendor advisory.

Publish Date: 2026-04-27

URL: CVE-2026-40975

CVSS 3 Score Details (4.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-04-27

Fix Resolution (org.springframework.boot:spring-boot): 4.0.6

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 4.0.6

Step up your Open Source Security Game with Mend here

CVE-2026-40977

Vulnerable Library - spring-boot-4.0.1.jar

Spring Boot

Library home page: https://spring.io/projects/spring-boot

Path to dependency file: /build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework.boot/spring-boot/4.0.1/2c20ae598c14dd78d3098aafc8a799afbdf8e69a/spring-boot-4.0.1.jar

Dependency Hierarchy:

  • spring-boot-starter-web-4.0.1.jar (Root Library)
    • spring-boot-http-converter-4.0.1.jar
      • spring-boot-4.0.1.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

When an application is configured to use "ApplicationPidFileWriter", a local attacker with write access to the PID file's location can corrupt one file on the host each time the application is started.
Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); PID file / symlink behavior ("ApplicationPidFileWriter"). Versions that are no longer supported are also affected per vendor advisory.

Publish Date: 2026-04-27

URL: CVE-2026-40977

CVSS 3 Score Details (4.7)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: High
    • Privileges Required: High
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-04-27

Fix Resolution (org.springframework.boot:spring-boot): 4.0.6

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 4.0.6

Step up your Open Source Security Game with Mend here

Metadata

Metadata

Assignees

No one assigned

    Labels

    Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions