CVE-2026-22730

8.8

High

Published:18 Mar 2026

Last updated:17 Jun 2026

Source:security@vmware.com

Analyzed

Weakness (CWE)

CWE-89SQL Injection

CVSS Vector

v3.1

Attack Vector: Network
Attack Complexity: Low
Privileges Required: Low
User Interaction: None
Scope: Unchanged
Confidentiality: High
Integrity: High
Availability: High

View on MITRE Find PoC on GitHub

Description

A critical SQL injection vulnerability in Spring AI's MariaDBFilterExpressionConverter allows attackers to bypass metadata-based access controls and execute arbitrary SQL commands. The vulnerability exists due to missing input sanitization.

References

security@vmware.com

https://spring.io/security/cve-2026-22730