VYPR

Maven package

org.springframework.ai/spring-ai-vector-store

pkg:maven/org.springframework.ai/spring-ai-vector-store

Vulnerabilities (3)

  • CVE-2026-40967HigApr 28, 2026
    affected >= 1.0.0, < 1.0.6fixed 1.0.6

    In Spring AI, various FilterExpressionConverter implementations accept a filter expression object and translate them to specific vector store query languages. In several cases, keys and values are not properly escaped, leading to the ability to alter the query. Affected versions

  • CVE-2026-22738CriMar 27, 2026
    affected >= 1.0.0, < 1.0.5fixed 1.0.5

    In Spring AI, a SpEL injection vulnerability exists in SimpleVectorStore when a user-supplied value is used as a filter expression key. A malicious actor could exploit this to execute arbitrary code. Only applications that use SimpleVectorStore and pass user-supplied input as a f

  • CVE-2026-22729HigMar 18, 2026
    affected >= 1.1.0-M1, < 1.1.3fixed 1.1.3

    A JSONPath injection vulnerability in Spring AI's AbstractFilterExpressionConverter allows authenticated users to bypass metadata-based access controls through crafted filter expressions. User-controlled input passed to FilterExpressionBuilder is concatenated into JSONPath querie