CVE-2026-41849
Spring Framework Denial of Service via Integer Overflow in SpEL Expressions
An integer overflow vulnerability exists in the evaluation logic of the Spring Expression Language (SpEL). An attacker can exploit this by supplying a specially crafted SpEL expression that triggers excessive resource consumption, resulting in a Denial of Service (DoS).
Affected versions:
Spring Framework 5.3.0 through 5.3.48.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected products
Spring · Spring FrameworkWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →