System	Score	Found at
cvssv3	7.5	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-40972.json
epss	0.00058	https://api.first.org/data/v1/epss?cve=CVE-2026-40972
epss	0.00058	https://api.first.org/data/v1/epss?cve=CVE-2026-40972
epss	0.00058	https://api.first.org/data/v1/epss?cve=CVE-2026-40972
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-56v8-86gj-66jp
cvssv3.1	7.5	https://github.com/spring-projects/spring-boot
generic_textual	HIGH	https://github.com/spring-projects/spring-boot
cvssv3.1	7.5	https://nvd.nist.gov/vuln/detail/CVE-2026-40972
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2026-40972
cvssv3.1	7.5	https://spring.io/security/cve-2026-40972
generic_textual	HIGH	https://spring.io/security/cve-2026-40972
ssvc	Track	https://spring.io/security/cve-2026-40972

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-40972.json
		https://api.first.org/data/v1/epss?cve=CVE-2026-40972
		https://github.com/spring-projects/spring-boot
		https://nvd.nist.gov/vuln/detail/CVE-2026-40972
2463332		https://bugzilla.redhat.com/show_bug.cgi?id=2463332
cve-2026-40972		https://spring.io/security/cve-2026-40972
GHSA-56v8-86gj-66jp		https://github.com/advisories/GHSA-56v8-86gj-66jp
RHSA-2026:17668		https://access.redhat.com/errata/RHSA-2026:17668
RHSA-2026:21772		https://access.redhat.com/errata/RHSA-2026:21772
RHSA-2026:25089		https://access.redhat.com/errata/RHSA-2026:25089

No exploits are available.

Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-40972.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/spring-projects/spring-boot

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2026-40972

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://spring.io/security/cve-2026-40972

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

---

Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-28T12:45:17Z/ Found at https://spring.io/security/cve-2026-40972

---

Percentile	0.18558
EPSS Score	0.00058
Published At	June 11, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-11T16:53:09.287791+00:00	Vulnrichment	Import	https://github.com/cisagov/vulnrichment/blob/develop/2026/40xxx/CVE-2026-40972.json	38.6.0