CVE-2026-41844
MediumCVSS 4.2Exploitation Probability (EPSS)
Low risk3th percentile - higher than 3% of all known CVEs
Summary
A vulnerability in Spring MVC and Spring WebFlux allows an attacker to redirect a user to an arbitrary external host via a crafted link with the 'redirect:' prefix, when the application configures a mapping for '/**' without explicitly specifying a view name.
Risk Assessment
An attacker can exploit this flaw for phishing attacks or redirecting users to malicious sites, potentially leading to data theft or malware infection.
Recommendation
Immediately update Spring Framework to version 7.0.8, 6.2.19, 6.1.28, or 5.3.49, depending on the branch used, and avoid configuring '/**' mapping without an explicit view name.
Original NVD description (English source)
A Spring MVC or Spring WebFlux application which configures a mapping for "/**" where the view name is not explicitly specified allows an attacker to craft a link resulting in a 302 redirect to an arbitrary external host via the redirect: prefix. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.

