CVE-2026-41697

Published: Giu 10, 2026 Last Modified: Giu 10, 2026

ExploitDB:

Other exploit source:

Google Dorks:

MEDIUM 4,8

Source: [email protected]

Attack Vector: network

Attack Complexity: high

Privileges Required: none

User Interaction: none

Scope: unchanged

Confidentiality: low

Integrity: none

Availability: low

Description

AI Translation Available

Spring Data Relational does not properly escape binding values of externally-controlled input when using StringMatcher (STARTING, ENDING, or CONTAINING) in Query By Example (QBE). An attacker can supply wildcard characters to perform boolean-based blind data inference.

Affected versions:
Spring Data Relational/JDBC/R2DBC 4.0.0 through 4.0.5; 3.5.0 through 3.5.11; 3.4.0 through 3.4.14; 3.3.0 through 3.3.16; 3.2.0 through 3.2.15; 3.1.0 through 3.1.14; 3.0.0 through 3.0.15; 2.4.0 through 2.4.19.

943

Improper Neutralization of Special Elements in Data Query Logic

Incomplete

Abstraction: Class Structure: Simple

Common Consequences

Security Scopes Affected:

Confidentiality Integrity Availability Access Control

Potential Impacts:

Bypass Protection Mechanism Read Application Data Modify Application Data Varies By Context

Applicable Platforms

All platforms may be affected

View CWE Details

https://spring.io/security/cve-2026-41697

CVE-2026-41697

Description

Improper Neutralization of Special Elements in Data Query Logic

Common Consequences

Applicable Platforms

Iscriviti alla newsletter