CVE-2017-8046 — CVSS 9.8 (critical): Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay…
CVE-2026-41729 — CVSS 8.1 (high): Spring Data REST is vulnerable to SpEL expression injection through map-typed properties when processing JSON Patch (application/json-patch+…
CVE-2026-41728 — CVSS 7.5 (high): Spring Data REST's JSON Patch (application/json-patch+json) implementation does not apply the write-access filter to intermediate path…
CVE-2018-1274 — CVSS 7.5 (high): Spring Data Commons, versions 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property path parser vulnerability…
CVE-2018-1259 — CVSS 7.5 (high): Spring Data Commons, versions 1.13 prior to 1.13.12 and 2.0 prior to 2.0.7, used in combination with XMLBeam 1.4.14 or earlier versions…
CVE-2026-41837 — CVSS 5.3 (medium): Spring Data REST's Querydsl integration accepts arbitrary persistent property paths as request-parameter filter keys and does not consider…
CVE-2021-22047 — CVSS 5.3 (medium): In Spring Data REST versions 3.4.0 - 3.4.13, 3.5.0 - 3.5.5, and older unsupported versions, HTTP resources implemented by custom…
CVE-2026-41730 — CVSS 5.3 (medium): Spring Data REST serializes the full exception cause chain into HTTP error response bodies, potentially exposing persistence-layer…
CVE-2022-31679 — CVSS 3.7 (low): Applications that allow HTTP PATCH access to resources exposed by Spring Data REST in versions 3.6.0 - 3.5.5, 3.7.0 - 3.7.2, and older…