CVEDB API

Vulnerabilities

By Date
Known Exploited
Advanced Search

Vulnerable Software

Vendors
Products

Vulnerability Details CVE-2026-41863

Spring AI's support for Anthropic's Skills API used LLM-influenced filenames unsanitized in Path.resolve before writing files to disk. This could allow a malicious user to write files outside the intended target directory, including restricted directories. Affected versions: Spring AI: 1.1.0 through 1.1.x

Exploit prediction scoring system (EPSS) score

EPSS Score 0.001

EPSS Ranking 15.8%

CVSS Severity

CVSS v3 Score 6.5

References

https://spring.io/security/cve-2026-41863

Products affected by CVE-2026-41863

Vmware » Spring Ai » Version: 1.1.0

cpe:2.3:a:vmware:spring_ai:1.1.0
Vmware » Spring Ai » Version: 1.1.1

cpe:2.3:a:vmware:spring_ai:1.1.1
Vmware » Spring Ai » Version: 1.1.2

cpe:2.3:a:vmware:spring_ai:1.1.2
Vmware » Spring Ai » Version: 1.1.3

cpe:2.3:a:vmware:spring_ai:1.1.3
Vmware » Spring Ai » Version: 1.1.4

cpe:2.3:a:vmware:spring_ai:1.1.4

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2026-41863

Products

Pricing

Contact Us