CVE-2018-1259

HIGH

Spring Data Commons 1.13-1.13.11 & 2.0-2.0.6 - XXE via Projection-Based Request Binding

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-1259. PoCs published by tafamace.

AI-analyzed exploit summary The provided code is a simple Java stub that prints command-line arguments and does not demonstrate any exploit functionality for CVE-2018-1259. It lacks offensive techniques or vulnerability-specific logic.

Description

Spring Data Commons, versions 1.13 prior to 1.13.12 and 2.0 prior to 2.0.7, used in combination with XMLBeam 1.4.14 or earlier versions, contains a property binder vulnerability caused by improper restriction of XML external entity references as underlying library XMLBeam does not restrict external reference expansion. An unauthenticated remote malicious user can supply specially crafted request parameters against Spring Data's projection-based request payload binding to access arbitrary files on the system.

Exploits (1)

nomisec STUB

by tafamace · poc

https://github.com/tafamace/CVE-2018-1259

View Code ZIP pw:eip

The provided code is a simple Java stub that prints command-line arguments and does not demonstrate any exploit functionality for CVE-2018-1259. It lacks offensive techniques or vulnerability-specific logic.

Classification

Stub 90%

Attack Type

Other

Complexity

Trivial

Reliability

Theoretical

Target: unknown

No auth needed

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Vendor Advisory x_refsource_confirm

https://pivotal.io/security/cve-2018-1259

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2018:1809

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2018:3768

Vendor Advisory x_refsource_misc

https://www.oracle.com/security-alerts/cpujul2022.html

Scores

CVSS v3 7.5

EPSS 0.1493

EPSS Percentile 94.7%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-611

Status published

Products (4)

org.springframework.data/spring-data-commons 1.13.0 - 1.13.12Maven

pivotal_software/spring_data_commons 1.13 - 1.13.11

pivotal_software/spring_data_rest 2.6 - 2.6.11

xmlbeam/xmlbeam < 1.4.14

Published May 11, 2018

Tracked Since Feb 18, 2026