CVE-2018-1259EPSS p91.5%

CVE-2018-1259CVE-2018-1259

broadcom / spring_data_commons

Description

Spring Data Commons, versions 1.13 prior to 1.13.12 and 2.0 prior to 2.0.7, used in combination with XMLBeam 1.4.14 or earlier versions, contains a property binder vulnerability caused by improper restriction of XML external entity references as underlying library XMLBeam does not restrict external reference expansion. An unauthenticated remote malicious user can supply specially crafted request parameters against Spring Data's projection-based request payload binding to access arbitrary files on the system.

Scoring

CVSS 7.5 ()
VectorCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS5.29% probability of exploitation · percentile 91.5% · 2026-06-19T12:03:05Z
Last modified2026-06-15
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.