Cyber Resilience

CVE-2026-41713

High

Published: 12 May 2026

Published
12 May 2026
Modified
12 May 2026
KEV Added
Patch
CVSS Score v3.1 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
EPSS Score 0.0022 12.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-41713 is a high-severity Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) vulnerability in Vmware Spring Ai. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Command and Scripting Interpreter (T1059); ranked at the 12.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

A malicious user could craft input that is stored in conversation memory and later interpreted by the model in an unintended way. Applications using the affected advisor with user-controlled input may be susceptible to manipulation of model behavior across conversation…

more

turns.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Prompt injection via crafted input enables model behavior manipulation (T1059 command interpretation) in a public-facing advisor app (T1190).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-22738Same product: Vmware Spring Ai
CVE-2026-41705Same product: Vmware Spring Ai
CVE-2026-22729Same product: Vmware Spring Ai
CVE-2026-40967Same product: Vmware Spring Ai
CVE-2026-22744Same product: Vmware Spring Ai
CVE-2026-22730Same product: Vmware Spring Ai
CVE-2026-40978Same product: Vmware Spring Ai
CVE-2026-22743Same product: Vmware Spring Ai
CVE-2026-22742Same product: Vmware Spring Ai
CVE-2026-41712Same product: Vmware Spring Ai

Affected Assets

vmware
spring ai
1.0.0 — 1.0.7 · 1.1.0 — 1.1.6

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References