CVE-2026-41843: Spring Framework Path Traversal via Versioned Static Resources in Spring MVC and WebFlux
Published Jun 9, 2026
·Updated
Spring MVC and WebFlux applications are vulnerable to Path Traversal attacks when resolving static resources. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
Affected Software
5 affected components
VMware Spring Framework>=7.0.0<=7.0.7, >=6.2.0<=6.2.18, >=6.1.0<=6.1.27, >=5.3.0<=5.3.48
VMware Spring Framework>=5.3.0<5.3.49
VMware Spring Framework>=6.1.0<6.1.28
VMware Spring Framework>=6.2.0<6.2.19
VMware Spring Framework>=7.0.0<7.0.8
Event History
Jun 9, 2026
CVE Published
via MITRE·03:50 AM
Data Sourced
via MITRE·03:50 AM
DescriptionSeverityWeakness
Data Sourced
via NVD·05:16 AM
DescriptionSeverityWeaknessAffected Software
Frequently Asked Questions
1
What is the severity of CVE-2026-41843?
The severity of CVE-2026-41843 is classified as medium with a score of 5.9.
2
How do I fix CVE-2026-41843?
To fix CVE-2026-41843, upgrade to Spring Framework versions 7.0.8, 6.2.19, 6.1.28, or 5.3.49 or later.
3
What types of applications are affected by CVE-2026-41843?
CVE-2026-41843 affects Spring MVC and WebFlux applications that use versioned static resources.
4
What attack vector does CVE-2026-41843 expose?
CVE-2026-41843 exposes applications to Path Traversal attacks.
5
Which versions of Spring Framework are vulnerable to CVE-2026-41843?
Versions of Spring Framework from 5.3.0 through 5.3.48, 6.1.0 through 6.1.27, 6.2.0 through 6.2.18, and 7.0.0 through 7.0.7 are vulnerable.