CVE-2026-41007 in Spring HATEOASinfo

Summary

by MITRE • 06/09/2026

Spring HATEOAS maintains an unbounded static cache of StringLinkRelation instances keyed on attacker-supplied strings.

Affected versions: Spring HATEOAS 1.5.0 through 1.5.6; 2.3.0 through 2.3.4; 2.4.0 through 2.4.1; 2.5.0 through 2.5.2; 3.0.0 through 3.0.3.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

Responsible

Vmware

Reservation

04/16/2026

Disclosure

06/09/2026

Moderation

accepted

Entry

VDB-369399

CPE

ready

CWE

CWE-770 (confirmed)

CVSS

7.5 (CNA)

EPSS

0.00040

KEV

Activities

low

Sources

MITRE	https://www.cve.org/CVERecord?id=CVE-2026-41007
NVD	https://nvd.nist.gov/vuln/detail/CVE-2026-41007
CVE Details	https://www.cvedetails.com/cve/CVE-2026-41007/

◂ Previous Overview Next ▸

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!