{“lastseen”:””,”description”:”Spring Data MongoDB contains a SpEL (Spring Expression Language) expression injection vulnerability. The issue occurs during parameter binding when a user-defined repository query method is annotated with @Query and utilizes a capture-all placeholder.\\n\\nAffected versions:\\nSpring Data MongoDB 5.0.0 through 5.0.5; 4.5.0 through 4.5.11; 4.4.0 through 4.4.14; 4.3.0 through 4.3.16; 4.2.0 through 4.2.15; 4.1.0 through 4.1.14; 4.0.0 through 4.0.15; 3.4.0 through 3.4.19.”,”published”:”2026-06-09T23:48:38.290Z”,”modified”:”2026-06-09T23:48:38.290Z”,”type”:”cve”,”title”:”Spring Data MongoDB – SpEL Expression Injection via Annotated Query Parameter Binding”,”source”:”vmware”,”references”:”https:\/\/spring.io\/security\/cve-2026-41717″,”id”:”CVE-2026-41717″,”bulletinFamily”:””,”cwe”:[“CWE-917″],”cvelist”:null,”sourceData”:”Spring Spring Data MongoDB 5.0.0\\nSpring Spring Data MongoDB 4.5.0\\nSpring Spring Data MongoDB 4.4.0\\nSpring Spring Data MongoDB 4.3.0\\nSpring Spring Data MongoDB 4.2.0\\nSpring Spring Data MongoDB 4.1.0\\nSpring Spring Data MongoDB 4.0.0\\nSpring Spring Data MongoDB 3.4.0″,”sourceHref”:””,”cvss”:{“score”:8.1,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:N\/AC:H\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:””,”category_name”:”CVE”,”post_link”:””,”product”:”Spring Data MongoDB”,”version”:”5.0.0″,”vendor”:”Spring”,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:””,”description”:”Spring Data MongoDB contains a SpEL (Spring Expression Language) expression injection vulnerability. The issue occurs during parameter binding when a user-defined repository query method is…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[6,8,52,12,15,13,7,11,5],"class_list":["post-61504","post","type-post","status-publish","format-standard","hentry","category-category_cve","tag-cve","tag-cvss","tag-cvss-81","tag-exploit","tag-high","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n