Detections
Analytics

Spring Framework 5.3.x < 5.3.49 Multiple Vulnerabilities

high Nessus Plugin ID 320774

Synopsis

The Spring Framework install on the remote host is affected by multiple vulnerabilities.

Description

The version of Spring Framework installed on the remote host is 5.3.x prior to 5.3.49. It is, therefore, affected by multiple vulnerabilities:

 - Spring WebFlux applications may be vulnerable to a security bypass when using the Kotlin Router DSL.
 (CVE-2026-41847)

 - An integer overflow vulnerability exists in the evaluation logic of the Spring Expression Language (SpEL). An attacker can exploit this by supplying a specially crafted SpEL expression that triggers excessive resource consumption, resulting in a Denial of Service (DoS). (CVE-2026-41849)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Spring Framework version 5.3.49 or later.

See Also

https://spring.io/security/cve-2026-41847

https://spring.io/security/cve-2026-41849

Plugin Details

Severity: High

ID: 320774

File Name: spring_framework_CVE-2026-41847_CVE-2026-41849.nasl

Version: 1.1

Type: Local

Agent: windows, macosx, unix

Family: Misc.

Published: 6/12/2026

Updated: 6/12/2026

Configuration: Enable thorough checks (optional)

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

CVSS v2

Risk Factor: High

Base Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS Score Source: CVE-2026-41849

CVSS v3

Risk Factor: High

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Vulnerability Information

CPE: cpe:/a:vmware:spring_framework, cpe:/a:pivotal_software:spring_framework

Required KB Items: installed_sw/Spring Framework

Patch Publication Date: 6/8/2026

Vulnerability Publication Date: 6/8/2026

Reference Information

CVE: CVE-2026-41847, CVE-2026-41849

IAVA: 2026-A-0562