CVE-2026-41863EPSS p32.5%

CVE-2026-41863CVE-2026-41863

vmware / spring_ai

Description

Spring AI's support for Anthropic's Skills API used LLM-influenced filenames unsanitized in Path.resolve before writing files to disk. This could allow a malicious user to write files outside the intended target directory, including restricted directories. Affected versions: Spring AI: 1.1.0 through 1.1.x

Scoring

CVSS 6.5 ()
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
EPSS0.41% probability of exploitation · percentile 32.5% · 2026-06-19T12:03:05Z
Last modified2026-06-01

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-41843
CVE
CVE-2026-22661
CVE
CVE-2026-40967
CVE
CVE-2026-22739
CVE
CVE-2026-22742
CVE
CVE-2026-41841
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.