By vendor

Broadcom vulnerabilities

Known CVEs affecting Broadcom products, prioritized by severity, with SEC.co remediation and detection guidance.

7 published vulnerabilities

  • CVE-2026-41695HIGH 7.5

    Spring Data Commons, a widely-used Java framework component, contains a denial-of-service vulnerability in how it processes property path strings. An attacker can send specially crafted requests that cause the application to exhaust system resources (CPU, memory) during property resolution, making the service unavailable to legitimate users. This affects versions 3.4.0 through 3.4.14, 3.5.0 through 3.5.11, and 4.0.0 through 4.0.5.

  • CVE-2026-41716HIGH 7.5

    Spring Data Commons contains a vulnerability in how it caches internal property lookups. An attacker can exploit this by sending specially crafted requests that cause the cache to store attacker-controlled strings as permanent cache keys. Because these keys are never cleaned up, repeated requests will gradually consume all available heap memory, eventually crashing the application. This is a denial-of-service attack that requires no authentication and can be triggered from the network.

  • CVE-2026-41719MEDIUM 6.4

    Spring Data KeyValue and Spring Data Redis are widely used libraries for integrating key-value stores with Spring applications. A vulnerability in these libraries allows an attacker with authenticated access to inject malicious SpEL (Spring Expression Language) code through the Sort parameter of repository query methods. When the application passes unsanitized user input to sorting operations, the SpelPropertyComparator evaluates that input as executable code rather than treating it as data. This could allow an authenticated user to read sensitive data, modify application behavior, or degrade system availability.

  • CVE-2026-41008MEDIUM 6.1

    Spring Security Authorization Server contains an open redirect vulnerability in its authorization endpoint. When processing OAuth 2.0 authorization requests, the server insufficiently validates the request_uri parameter, allowing an attacker to combine an invalid request_uri with a crafted redirect_uri to redirect users to an attacker-controlled website after authentication. This affects Spring Security versions 7.0.0–7.0.5 and Spring Authorization Server versions 1.5.0–1.5.7.

  • CVE-2026-40991MEDIUM 5.9

    Spring REST Docs, a popular documentation tool used by developers to generate API documentation from tests, contains an XML External Entity (XXE) injection vulnerability when documenting remote APIs over HTTP. An attacker who gains control of an API being documented—or convinces a developer to document a malicious API—can inject malicious XML that executes during the documentation-generation process. The attack requires the developer to actively run their documentation tests, making social engineering or API compromise the likely attack vector.

  • CVE-2026-41711MEDIUM 5.9

    Spring Data Commons, a widely-used data access library in the Spring ecosystem, contains a flaw in how it processes Sort parameters. An attacker can craft malicious Sort requests that cause applications to exhaust stack memory, crashing the service. This is a network-accessible denial-of-service vulnerability that requires no authentication or user interaction—any exposed endpoint accepting Sort parameters becomes an attack surface.

  • CVE-2026-41721MEDIUM 5.9

    Spring Data Commons, a widely-used data access abstraction framework, contains a vulnerability that enables remote denial-of-service attacks. When Spring Data Web Support is enabled and a controller uses the @ProjectedPayload annotation, attackers can craft specific HTTP requests that force the application to consume excessive memory, degrading or halting service availability. The vulnerability requires specific configuration conditions to be present, limiting its immediate exposure but posing real risk to affected deployments.