Vmware Spring Data Mongodb vulnerabilities
3 known vulnerabilities affecting vmware/spring_data_mongodb.
Total CVEs
3
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH1MEDIUM1
Vulnerabilities
Page 1 of 1
CVE-2022-22980P2CRITICALCVSS 9.8≤ 3.3.4v3.4.0+1 more2022-06-23
CVE-2022-22980 [CRITICAL] CWE-917 CVE-2022-22980: A Spring Data MongoDB application is vulnerable to SpEL Injection when using @Query or @Aggregation-
A Spring Data MongoDB application is vulnerable to SpEL Injection when using @Query or @Aggregation-annotated query methods with SpEL expressions that contain query parameter placeholders for value binding if the input is not sanitized.
nvd
CVE-2026-41717P3HIGHCVSS 8.1≥ 3.4.0, ≤ 3.4.19≥ 4.0.0, ≤ 4.0.15+6 more2026-06-10
CVE-2026-41717 [HIGH] CWE-917 CVE-2026-41717: Spring Data MongoDB contains a SpEL (Spring Expression Language) expression injection vulnerability.
Spring Data MongoDB contains a SpEL (Spring Expression Language) expression injection vulnerability. The issue occurs during parameter binding when a user-defined repository query method is annotated with @Query and utilizes a capture-all placeholder.
Affected versions:
Spring Data MongoDB 5.0.0 through 5.0.5; 4.5.0 through 4.5.11; 4.4.0 through 4.4.
nvd
CVE-2026-41696P3MEDIUMCVSS 5.9≥ 3.4.0, ≤ 3.4.19≥ 4.0.0, ≤ 4.0.15+6 more2026-06-10
CVE-2026-41696 [MEDIUM] CWE-943 CVE-2026-41696: Spring Data MongoDB repository query methods annotated with @Query that use regex parameter binding
Spring Data MongoDB repository query methods annotated with @Query that use regex parameter binding perform insufficient validation of the bound parameter. An attacker can supply a crafted string to break out of the intended regular expression quoting.
Affected versions:
Spring Data MongoDB 5.0.0 through 5.0.5; 4.5.0 through 4.5.11; 4.4.0 through 4.
nvd