Vulnerability Report

CVE-2026-40987

Title: Arbitrary File Write via Malicious FTP/SFTP/SMB Server

Arbitrary File Access

Proof Of Concept

PoC Available for CVE-2026-40987

CWE Category CWE-22

Published Date Jun 11, 2026

Modified Date Jun 11, 2026

Exploit Status Available

Score 7.1 CVSS v3.1

Exploit Probability (EPSS)

0.18%

Vulnerability Summary

CVE-2026-40987: A malicious or compromised FTP/SFTP/SMB server can write arbitrary files anywhere on the client filesystem (outside the configured local-directory) with attacker-controlled content. Affected versions: Spring Integration 7.0.0 through 7.0.4; 6.5.0 through 6.5.8; 6.4.0 through 6.4.11; 6.3.0 through 6.3.14; 5.5.0 through 5.5.20.

Impacted Vendors

Analysis in Progress...

Reference Links

https://spring.io/security/cve-2026-40987

CVSS v3.1

Source Entity [email protected]

Severity HIGH

7.1

Attack Vector

NETWORK

Complexity

HIGH

Privileges

N/A

Interaction

REQUIRED

Confidentiality

N/A

Integrity

N/A

Availability

N/A

Scope

CHANGED

RAW VECTOR CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:L

Associated Attack Patterns (CAPEC)

Total: Patterns

CVE-2026-40987 Exploits & PoCs (Proof Of Concept)

GitHub https://github.com/daehyuh/CVE-2026-40987

View Code

June 11, 2026 MODIFIED

Vulnerability data updated via NVD.

June 11, 2026 MODIFIED

Vulnerability data updated via NVD.

Attack Vector Matrix

Access Vector NETWORK

Complexity HIGH

Privileges N/A

Interaction REQUIRED

CVSS Vector String


                                    CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:L

Affected Stack

No specific products linked.