Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:maven/org.springframework.ai/spring-ai-advisors-vector-store@1.1.2

Type maven

Namespace org.springframework.ai

Name spring-ai-advisors-vector-store

Version 1.1.2

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 1.1.5

Latest_non_vulnerable_version 2.0.0-M6

Affected_by_vulnerabilities

url VCID-v94q-ts1m-sqde

vulnerability_id VCID-v94q-ts1m-sqde

summary

Spring AI's VectorStoreChatMemoryAdvisor conversation scoping can lead to cross-tenant memory exfiltration
In Spring AI, an attacker can bypass conversation isolation and exfiltrate sensitive memory from other users’ chat histories, including secrets and credentials, by injecting filter logic through conversationId. Only applications that use VectorStoreChatMemoryAdvisor and pass user-supplied input as a conversationId are affected.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-40966

reference_id

reference_type

scores

value	0.00053
scoring_system	epss
scoring_elements	0.17028
published_at	2026-06-06T12:55:00Z

value	0.00053
scoring_system	epss
scoring_elements	0.16928
published_at	2026-06-09T12:55:00Z

value	0.00053
scoring_system	epss
scoring_elements	0.1691
published_at	2026-06-08T12:55:00Z

value	0.00053
scoring_system	epss
scoring_elements	0.17033
published_at	2026-06-05T12:55:00Z

value	0.00053
scoring_system	epss
scoring_elements	0.16993
published_at	2026-06-07T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-40966

reference_url

https://github.com/spring-projects/spring-ai

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/spring-projects/spring-ai

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-40966

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-40966

reference_url

https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?version=3.1&vector=AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-28T13:18:57Z/

url

https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?version=3.1&vector=AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

reference_url

https://spring.io/security/cve-2026-40966

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-28T13:18:57Z/

url

https://spring.io/security/cve-2026-40966

reference_url

https://github.com/advisories/GHSA-v6x6-pjxw-3pv2

reference_id

GHSA-v6x6-pjxw-3pv2

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-v6x6-pjxw-3pv2

fixed_packages

url	pkg:maven/org.springframework.ai/spring-ai-advisors-vector-store@1.1.5
purl	pkg:maven/org.springframework.ai/spring-ai-advisors-vector-store@1.1.5
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.ai/spring-ai-advisors-vector-store@1.1.5

aliases CVE-2026-40966, GHSA-v6x6-pjxw-3pv2

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-v94q-ts1m-sqde

Fixing_vulnerabilities

Risk_score 3.1

Resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.ai/spring-ai-advisors-vector-store@1.1.2

Package Instance