CVE-2026-40987
7.1
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:L
Summary
A malicious or compromised FTP/SFTP/SMB server can write arbitrary files anywhere on the client filesystem (outside the configured local-directory) with attacker-controlled content.
Affected versions: Spring Integration 7.0.0 through 7.0.4; 6.5.0 through 6.5.8; 6.4.0 through 6.4.11; 6.3.0 through 6.3.14; 5.5.0 through 5.5.20.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Spring | Spring Integration | 7.0.0 < 7.0.4.1 | affected |
| Spring | Spring Integration | 6.5.0 < 6.5.8.1 | affected |
| Spring | Spring Integration | 6.4.0 < 6.4.12 | affected |
| Spring | Spring Integration | 6.3.0 < 6.3.15 | affected |
| Spring | Spring Integration | 5.5.0 < 5.5.21 | affected |
Weaknesses
- CWE-22: CWE-22: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.