CVE-2026-40987
HIGHRemote-file synchronizer in Spring Integration writes server-supplied filename under localDirectory without canonicalization
Title source: cnaExploitation Summary
EIP tracks 1 public exploit for CVE-2026-40987. PoCs published by daehyuh.
AI-analyzed exploit summary This repository contains a functional proof-of-concept exploit for CVE-2026-40987, demonstrating a path traversal vulnerability in Spring Integration FTP. The test case simulates a malicious FTP server that serves a file with a crafted filename to escape the configured local directory.
Description
A malicious or compromised FTP/SFTP/SMB server can write arbitrary files anywhere on the client filesystem (outside the configured local-directory) with attacker-controlled content. Affected versions: Spring Integration 7.0.0 through 7.0.4; 6.5.0 through 6.5.8; 6.4.0 through 6.4.11; 6.3.0 through 6.3.14; 5.5.0 through 5.5.20.
Exploits (1)
This repository contains a functional proof-of-concept exploit for CVE-2026-40987, demonstrating a path traversal vulnerability in Spring Integration FTP. The test case simulates a malicious FTP server that serves a file with a crafted filename to escape the configured local directory.
References (1)
Scores
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:L