CVE-2026-41854

MEDIUM NVD

CVSS Score 4.2

Severity MEDIUM

Published Jun 09, 2026

Vendor unknown

Description

Due to incorrect host parsing, applications that rely on UriComponentsBuilder to parse and validate an externally provided URL string may be exposed to a server-side request forgery (SSRF) attack. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18.

References

https://spring.io/security/cve-2026-41854