CVE-2026-40967HIGH 8.6EPSS p31.0%

CVE-2026-40967CVE-2026-40967

Description

In Spring AI, various FilterExpressionConverter implementations accept a filter expression object and translate them to specific vector store query languages. In several cases, keys and values are not properly escaped, leading to the ability to alter the query. Affected versions: Spring AI: 1.0.0 - 1.0.5 (fixed in 1.0.6), 1.1.0 - 1.1.4 (fixed in 1.1.5)

Scoring

CVSS 3.18.6 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
EPSS0.39% probability of exploitation · percentile 31.0% · 2026-06-19T12:03:05Z
Published2026-04-28
Last modified2026-04-29

Underlying weaknesses· 1

CWE-94

References

  1. https://spring.io/security/cve-2026-40967

1

TypeTargetConfidenceTier
WeaknessImproper Control of Generation of Code ('Code Injection')cwe-940%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-22729
CVE
CVE-2026-22738
CVE
CVE-2026-22744
CVE
CVE-2026-41705
CVE
CVE-2026-40978
CVE
CVE-2026-22730
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.