CVE-2026-41705
HighRCE
Published: 09 May 2026
Published
09 May 2026
Modified
09 May 2026
KEV Added
—
Patch
—
CVSS Score
8.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
EPSS Score
0.0002
5.4th percentile
Risk Priority
17
60% EPSS · 20% KEV · 20% CVSS
Summary
CVE-2026-41705 is a high-severity Expression Language Injection (CWE-917) vulnerability in Spring AI (inferred from references). Its CVSS base score is 8.6 (High).
Operationally, ranked at the 5.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Other AI Platforms.
NVD Description
Spring AI's MilvusVectorStore#doDelete(List) implementation is vulnerable to filter-expression injection via unsanitized document IDs. Spring AI 1.0.x: affected from 1.0.0 through latest 1.0.x; upgrade to 1.0.7 or greater. Spring AI 1.1.x: affected from 1.1.0 through latest 1.1.x; upgrade to 1.1.6 or…
more
greater.
Deeper analysisAI
Automated synthesis unavailable for this CVE.
Details
- CWE(s)
Affected Products
Spring
AI
inferred from references and description; NVD did not file a CPE for this CVE
AI Security AnalysisAI
- AI Category
- Other AI Platforms
- Risk Domain
- N/A
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai, ai, ai
CVEs Like This One
CVE-2026-22729Shared CWE-917
CVE-2026-22738Shared CWE-917
CVE-2026-41883Shared CWE-917
CVE-2025-41243Shared CWE-917
CVE-2026-42811Shared CWE-917
CVE-2026-24713Shared CWE-917
CVE-2026-40478Shared CWE-917
CVE-2026-39842Shared CWE-917
CVE-2026-40477Shared CWE-917
CVE-2026-28201Shared CWE-917