CVE-2026-2818

HIGH

Spring Data Geode - Path Traversal

Title source: llm

Description

A zip-slip path traversal vulnerability in Spring Data Geode's import snapshot functionality allows attackers to write files outside the intended extraction directory. This vulnerability appears to be susceptible on Windows OS only.

References (1)

[Various Sources] https://www.herodevs.com/vulnerability-directory/cve-2026-2818

Scores

CVSS v3 8.2

EPSS 0.0014

EPSS Percentile 33.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-23

Status published

Products (2)

VMware/Spring Data Gemfire 1.7.0.RELEASE - 2.2.13.RELEASE

VMware/Spring Data Geode 2.0.0.RELEASE - 2.7.18

Published Feb 20, 2026

Tracked Since Feb 21, 2026