Spring data rest

This hub aggregates every CVE we track for Spring data rest, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 10 most recently published vulnerabilities affecting Spring data rest.

• CVE-2026-41837Spring Data REST Querydsl integration exposes Jackson-hidden persistent fields as filter keys5.3Jun 9, 2026
• CVE-2026-41730Spring Data REST exposes persistence-layer internals in error responses5.3Jun 9, 2026
• CVE-2026-41729Spring Data REST SpEL Injection via Map Key in JSON Patch8.1Jun 9, 2026
• CVE-2026-41728Spring Data REST JSON Patch bypasses Jackson read-only property protection on nested objects and collections7.5Jun 9, 2026
• CVE-2022-31679Applications that allow HTTP PATCH access to resources exposed by Spring Data REST in versions 3.6.0 - 3.5.5, 3.7.0 - 3.7.2, and older unsupported versions, if an attacker knows about the structure...3.7Sep 21, 2022
• CVE-2021-22047In Spring Data REST versions 3.4.0 - 3.4.13, 3.5.0 - 3.5.5, and older unsupported versions, HTTP resources implemented by custom controllers using a configured base API path and a controller type-l...5.3Oct 28, 2021
• CVE-2018-1259Spring Data Commons, versions 1.13 prior to 1.13.12 and 2.0 prior to 2.0.7, used in combination with XMLBeam 1.4.14 or earlier versions, contains a property binder vulnerability caused by improper ...7.5May 11, 2018
• CVE-2018-1274Spring Data Commons, versions 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property path parser vulnerability caused by unlimited resource allocation. An unauthenticated...7.5Apr 18, 2018
• CVE-2018-1273Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property binder vulnerability caused by improper neutralization of special elements. ...KEV9.8Apr 11, 2018
• CVE-2017-8046Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) and Spring Boot versions prior to 1.5.9, 2.0 M6 can use...9.8Jan 4, 2018