CVE-2026-41696

Published: Giu 10, 2026 Last Modified: Giu 10, 2026

ExploitDB:

Other exploit source:

Google Dorks:

MEDIUM 5,9

Source: [email protected]

Attack Vector: network

Attack Complexity: high

Privileges Required: none

User Interaction: none

Scope: unchanged

Confidentiality: high

Integrity: none

Availability: none

Description

AI Translation Available

Spring Data MongoDB repository query methods annotated with @Query that use regex parameter binding perform insufficient validation of the bound parameter. An attacker can supply a crafted string to break out of the intended regular expression quoting.

Affected versions:
Spring Data MongoDB 5.0.0 through 5.0.5; 4.5.0 through 4.5.11; 4.4.0 through 4.4.14; 4.3.0 through 4.3.16; 4.2.0 through 4.2.15; 4.1.0 through 4.1.14; 4.0.0 through 4.0.15; 3.4.0 through 3.4.19.

943

Improper Neutralization of Special Elements in Data Query Logic

Incomplete

Abstraction: Class Structure: Simple

Common Consequences

Security Scopes Affected:

Confidentiality Integrity Availability Access Control

Potential Impacts:

Bypass Protection Mechanism Read Application Data Modify Application Data Varies By Context

Applicable Platforms

All platforms may be affected

View CWE Details

https://spring.io/security/cve-2026-41696

CVE-2026-41696

Description

Improper Neutralization of Special Elements in Data Query Logic

Common Consequences

Applicable Platforms

Iscriviti alla newsletter