Exposed Dangerous Method or Function Affecting org.springframework:spring-expression package, versions [5.3.0, 6.0.0)[6.1.0, 6.2.19)[7.0.0-M1, 7.0.8)


Severity

Recommended
0.0
medium
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.16% (6th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JAVA-ORGSPRINGFRAMEWORK-17253570
  • published9 Jun 2026
  • disclosed8 Jun 2026
  • creditUnknown

Introduced: 8 Jun 2026

NewCVE-2026-41852  (opens in a new tab)
CWE-749  (opens in a new tab)

How to fix?

Upgrade org.springframework:spring-expression to version 6.0.0, 6.2.19, 7.0.8 or higher.

Overview

Affected versions of this package are vulnerable to Exposed Dangerous Method or Function via Spring Expression Language (SpEL) method invocation handling. An attacker can invoke arbitrary zero-argument methods by supplying crafted SpEL expressions, even in contexts intended to restrict method execution or provide read-only access. This may allow execution of unintended application logic and access to functionality that should not be exposed through expression evaluation.

Note: This is only exploitable if the application accepts and evaluates untrusted or user-controlled SpEL expressions.

CVSS Base Scores

version 4.0
version 3.1