CVE-2026-2818

Summary

A zip-slip path traversal vulnerability in Spring Data Geode's import snapshot functionality allows attackers to write files outside the intended extraction directory. This vulnerability appears to be susceptible on Windows OS only.

Affected Software

VendorProductVersion RangeStatus
VMwareSpring Data Geode2.0.0.RELEASE <= 2.7.18affected
VMwareSpring Data Gemfire1.7.0.RELEASE <= 2.2.13.RELEASEaffected

Weaknesses

  • CWE-23: CWE-23 Relative Path Traversal

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

org.springframework.data/spring-data-geode: Spring Data Geode: Path traversal vulnerability allows arbitrary file write via import snapshot functionality.

Additional References

References