CVE-2026-41848

Published: Jun 9, 2026Modified: Jun 11, 2026

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

Applications may be vulnerable to a Regular Expression Denial of Service (ReDoS) attack if an attacker is able to provide a pattern which is then directly or indirectly supplied to one of the following methods in AntPathMatcher: match(String pattern, String path), matchStart(String pattern, String path), extractUriTemplateVariables(String pattern, String path). Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.

Affected (4)

Products: Vmware: Spring Framework

Vmware

1 product

Spring Framework

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Vmware Spring Framework	From 5.3.0 to 5.3.49
Vmware Spring Framework	From 6.1.0 to 6.1.28
Vmware Spring Framework	From 6.2.0 to 6.2.19
Vmware Spring Framework	From 7.0.0 to 7.0.8

Related CWEs

CWE-1333

Inefficient Regular Expression Complexity

The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

References (1)

https://spring.io/security/cve-2026-41848

Source: security@vmware.com

Vendor Advisory

Timeline

No history available yet.