VYPR
Medium severity6.5NVD Advisory· Published May 25, 2026· Updated Jun 1, 2026

CVE-2026-41863

CVE-2026-41863

Description

Spring AI's support for Anthropic's Skills API used LLM-influenced filenames unsanitized in Path.resolve before writing files to disk. This could allow a malicious user to write files outside the intended target directory, including restricted directories.

Affected versions: Spring AI: 1.1.0 through 1.1.x

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2

Patches

Vulnerability mechanics

References

1

News mentions

0

No linked articles in our index yet.