[Git][security-tracker-team/security-tracker][master] new spring issues
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Tue Jun 9 11:24:34 BST 2026
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
ba8fbe0b by Moritz Muehlenhoff at 2026-06-09T12:23:51+02:00
new spring issues
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -90,41 +90,76 @@ CVE-2026-41978 (Permission control vulnerability in the clone module.Impact: Suc
CVE-2026-41975 (Permission management vulnerability in the network management module.I ...)
NOT-FOR-US: Huawei
CVE-2026-41855 (In an untrusted JMS environment, org.springframework.jms.support.conve ...)
- TODO: check
+ - libspring-java <unfixed> (unimportant)
+ NOTE: https://spring.io/security/cve-2026-41855
+ NOTE: Only supported for building applications shipped in Debian, see README.Debian.security
CVE-2026-41854 (Due to incorrect host parsing, applications that rely on UriComponents ...)
- TODO: check
+ - libspring-java <not-affected> (Only affects Spring 6 and later)
+ NOTE: https://spring.io/security/cve-2026-41854
CVE-2026-41853 (Spring MVC and WebFlux applications are vulnerable to Multipart reques ...)
- TODO: check
+ - libspring-java <unfixed> (unimportant)
+ NOTE: https://spring.io/security/cve-2026-41853
+ NOTE: Only supported for building applications shipped in Debian, see README.Debian.security
CVE-2026-41852 (A vulnerability in Spring Expression Language (SpEL) evaluation logic ...)
- TODO: check
+ - libspring-java <unfixed> (unimportant)
+ NOTE: https://spring.io/security/cve-2026-41852
+ NOTE: Only supported for building applications shipped in Debian, see README.Debian.security
CVE-2026-41851 (Applications which accept user-supplied Spring Expression Language (Sp ...)
- TODO: check
+ - libspring-java <unfixed> (unimportant)
+ NOTE: https://spring.io/security/cve-2026-41851
+ NOTE: Only supported for building applications shipped in Debian, see README.Debian.security
CVE-2026-41850 (Applications that evaluate user-supplied Spring Expression Language (S ...)
- TODO: check
+ - libspring-java <unfixed> (unimportant)
+ NOTE: https://spring.io/security/cve-2026-41850
+ NOTE: Only supported for building applications shipped in Debian, see README.Debian.security
CVE-2026-41849 (An integer overflow vulnerability exists in the evaluation logic of th ...)
- TODO: check
+ - libspring-java <unfixed> (unimportant)
+ NOTE: https://spring.io/security/cve-2026-41849
+ NOTE: Only supported for building applications shipped in Debian, see README.Debian.security
CVE-2026-41848 (Applications may be vulnerable to a Regular Expression Denial of Servi ...)
- TODO: check
+ - libspring-java <unfixed> (unimportant)
+ NOTE: https://spring.io/security/cve-2026-41848
+ NOTE: Only supported for building applications shipped in Debian, see README.Debian.security
CVE-2026-41847 (Spring WebFlux applications may be vulnerable to a security bypass whe ...)
- TODO: check
+ - libspring-java <unfixed> (unimportant)
+ NOTE: https://spring.io/security/cve-2026-41847
+ NOTE: Only supported for building applications shipped in Debian, see README.Debian.security
CVE-2026-41846 (Spring MVC applications which accept user-supplied values in the cssCl ...)
- TODO: check
+ - libspring-java <unfixed> (unimportant)
+ NOTE: https://spring.io/security/cve-2026-41846
+ NOTE: Only supported for building applications shipped in Debian, see README.Debian.security
CVE-2026-41845 (Due to incorrect escaping, the use of JavaScriptUtils.javaScriptEscape ...)
- TODO: check
+ - libspring-java <unfixed> (unimportant)
+ NOTE: https://spring.io/security/cve-2026-41845
+ NOTE: Only supported for building applications shipped in Debian, see README.Debian.security
CVE-2026-41844 (A Spring MVC or Spring WebFlux application which configures a mapping ...)
- TODO: check
+ - libspring-java <unfixed> (unimportant)
+ NOTE: https://spring.io/security/cve-2026-41844
+ NOTE: Only supported for building applications shipped in Debian, see README.Debian.security
CVE-2026-41843 (Spring MVC and WebFlux applications are vulnerable to Path Traversal a ...)
- TODO: check
+ - libspring-java <unfixed> (unimportant)
+ NOTE: https://spring.io/security/cve-2026-41843
+ NOTE: Only supported for building applications shipped in Debian, see README.Debian.security
CVE-2026-41842 (Spring MVC and WebFlux applications are vulnerable to Denial of Servic ...)
- TODO: check
+ - libspring-java <unfixed> (unimportant)
+ NOTE: https://spring.io/security/cve-2026-41842
+ NOTE: Only supported for building applications shipped in Debian, see README.Debian.security
CVE-2026-41841 (Spring MVC and WebFlux applications are vulnerable to Information Disc ...)
- TODO: check
+ - libspring-java <unfixed> (unimportant)
+ NOTE: https://spring.io/security/cve-2026-41841
+ NOTE: Only supported for building applications shipped in Debian, see README.Debian.security
CVE-2026-41840 (Spring WebFlux applications are vulnerable to Denial of Service (DoS) ...)
- TODO: check
+ - libspring-java <unfixed> (unimportant)
+ NOTE: https://spring.io/security/cve-2026-41840
+ NOTE: Only supported for building applications shipped in Debian, see README.Debian.security
CVE-2026-41839 (A WebFlux application with a compromised subdomain (for example, compr ...)
- TODO: check
+ - libspring-java <unfixed> (unimportant)
+ NOTE: https://spring.io/security/cve-2026-41839
+ NOTE: Only supported for building applications shipped in Debian, see README.Debian.security
CVE-2026-41838 (IDs for WebSocket sessions in the spring-websocket module are not cryp ...)
- TODO: check
+ - libspring-java <unfixed> (unimportant)
+ NOTE: https://spring.io/security/cve-2026-41838
+ NOTE: Only supported for building applications shipped in Debian, see README.Debian.security
CVE-2026-41720 (Spring LDAP's DirContextAuthenticationStrategy implementations do not ...)
TODO: check
CVE-2026-41715 (In specific scenarios involving HTTP redirects from a secure to an ins ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ba8fbe0b3c3191b7a034c6117ea01a471d1de114
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ba8fbe0b3c3191b7a034c6117ea01a471d1de114
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260609/a19169cd/attachment.htm>
More information about the debian-security-tracker-commits
mailing list