|
Vulnerabilities
< Back

CVE-2026-41711

Updated on 09 Jun 2026

Severity

5.9 Medium severity

Details

CVSS score
5.9
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE ID
Links
NISTCIRCLRHELUbuntu

Overview

About vulnerability

SVG ImageDescription

Applications using Spring Data Commons may be vulnerable to a Denial of Service (DoS) attack leading to aStackOverflowException when parsing Sort parameters.

This issue can occur if an application explicitly exposes an endpoint that accepts Sort parameters from untrusted sources and passes them on without performing sanitization or if the application exposes endpoints with parameters annotated with @ProjectedPayload or @QuerydslPredicate.

Spring Data Commons does not directly expose this API to untrusted callers; exposure depends on the consuming Spring Data module or application code.

SVG ImageAffected Spring Products and Versions

Spring Data Commons:

  • 4.0.0 to 4.0.5
  • 3.5.0 to 3.5.11
  • 3.4.0 to 3.4.14
  • 3.3.0 to 3.3.16
  • 3.2.0 to 3.2.15
  • 3.1.0 to 3.1.14
  • 3.0.0 to 3.0.15
  • 2.7.0 to 2.7.19
  • older unsupported versions

SVG ImageMitigation

Users of affected versions should upgrade to the corresponding fixed version. Ensure that any untrusted input intended for sorting is adequately sanitized before being processed.

Affected version(s) Fix version Availability
4.0.x 4.0.6 OSS
3.5.x 3.5.12 OSS
3.4.x 3.4.15 Enterprise Support Only
3.3.x 3.3.17 Enterprise Support Only
2.7.x 2.7.20 Enterprise Support Only

SVG ImageReferences

SVG ImageHistory

  • 2026-06-09: Initial vulnerability report published.

Details

Affected product:
Spring
Affected packages:
Spring Data @ 2.4.18 (+158 more)

SVG ImageDescription

Applications using Spring Data Commons may be vulnerable to a Denial of Service (DoS) attack leading to aStackOverflowException when parsing Sort parameters.

This issue can occur if an application explicitly exposes an endpoint that accepts Sort parameters from untrusted sources and passes them on without performing sanitization or if the application exposes endpoints with parameters annotated with @ProjectedPayload or @QuerydslPredicate.

Spring Data Commons does not directly expose this API to untrusted callers; exposure depends on the consuming Spring Data module or application code.

SVG ImageAffected Spring Products and Versions

Spring Data Commons:

  • 4.0.0 to 4.0.5
  • 3.5.0 to 3.5.11
  • 3.4.0 to 3.4.14
  • 3.3.0 to 3.3.16
  • 3.2.0 to 3.2.15
  • 3.1.0 to 3.1.14
  • 3.0.0 to 3.0.15
  • 2.7.0 to 2.7.19
  • older unsupported versions

SVG ImageMitigation

Users of affected versions should upgrade to the corresponding fixed version. Ensure that any untrusted input intended for sorting is adequately sanitized before being processed.

Affected version(s) Fix version Availability
4.0.x 4.0.6 OSS
3.5.x 3.5.12 OSS
3.4.x 3.4.15 Enterprise Support Only
3.3.x 3.3.17 Enterprise Support Only
2.7.x 2.7.20 Enterprise Support Only

SVG ImageReferences

SVG ImageHistory

  • 2026-06-09: Initial vulnerability report published.