CVE-2026-40980
published 2026-04-28CVE-2026-40980: In Spring AI, a malicious PDF file can be crafted that triggers the allocation of unreasonable amounts of memory when handled by `ForkPDFLayoutTextStripper`…
PriorityP434medium6.5CVSS 3.1
AVNACLPRLUINSUCNINAH
EPSS
0.24%
15.0th percentile
In Spring AI, a malicious PDF file can be crafted that triggers the allocation of unreasonable amounts of memory when handled by `ForkPDFLayoutTextStripper`.
Affected versions:
Spring AI: 1.0.0 - 1.0.5 (fixed in 1.0.6), 1.1.0 - 1.1.4 (fixed in 1.1.5)
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| spring | spring_ai | >= 1.0.0 < 1.0.6 | 1.0.6 |
| spring | spring_ai | >= 1.1.0 < 1.1.5 | 1.1.5 |
| vmware | spring_ai | >= 1.0.0 < 1.0.6 | 1.0.6 |
| vmware | spring_ai | >= 1.1.0 < 1.1.5 | 1.1.5 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Spring AI Vulnerable to OOM by attacker-controlled PDF
ghsa·2026-04-28
CVE-2026-40980 [MEDIUM] CWE-400 Spring AI Vulnerable to OOM by attacker-controlled PDF
Spring AI Vulnerable to OOM by attacker-controlled PDF
In Spring AI, a malicious PDF file can be crafted that triggers the allocation of unreasonable amounts of memory when handled by `ForkPDFLayoutTextStripper`.
Affected versions:
Spring AI: 1.0.0 - 1.0.5 (fixed in 1.0.6), 1.1.0 - 1.1.4 (fixed in 1.1.5)
VulDB
Vmware Spring AI up to 1.0.5/1.1.4 PDF File ForkPDFLayoutTextStripper resource consumption
vuldb·2026-04-28·CVSS 6.5
CVE-2026-40980 [MEDIUM] Vmware Spring AI up to 1.0.5/1.1.4 PDF File ForkPDFLayoutTextStripper resource consumption
A vulnerability has been found in Vmware Spring AI up to 1.0.5/1.1.4 and classified as problematic. Affected by this issue is the function ForkPDFLayoutTextStripper of the component PDF File Handler. Performing a manipulation results in resource consumption.
This vulnerability was named CVE-2026-40980. The attack may be initiated remotely. There is no available exploit.
The affected component should be upgraded.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-28
Published