CRITICALRemediated

CVE-2026-1093

SpEL expression injection in @Value resolution

Technology

Spring Framework

CVSS Score

9.8 / 10.0

Affected Versions

5.3.0 – 5.3.35

Patched In

OSSeva for Spring Framework 5.3.39-osseva-1

Published

March 1, 2026

Remediated

March 15, 2026 (1mo ago)

Description

Spring Expression Language (SpEL) is evaluated in @Value annotations without sufficient sandboxing when certain configuration patterns are used, enabling remote code execution in applications that accept user-supplied property values.

Is your Spring Framework deployment affected?

If you're running 5.3.0 – 5.3.35, you need this patch. Book a discovery call to get covered.

Book a discovery call View Spring Framework coverage →