{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2818", "assignerOrgId": "36c7be3b-2937-45df-85ea-ca7133ea542c", "state": "PUBLISHED", "assignerShortName": "HeroDevs", "dateReserved": "2026-02-19T17:07:41.627Z", "datePublished": "2026-02-20T16:03:21.032Z", "dateUpdated": "2026-02-20T20:12:35.205Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "packageName": "org.springframework.data:spring-data-geode", "product": "Spring Data Geode", "repo": "https://github.com/spring-attic/spring-data-geode", "vendor": "VMware", "versions": [{"lessThanOrEqual": "2.7.18", "status": "affected", "version": "2.0.0.RELEASE", "versionType": "maven"}]}, {"defaultStatus": "unaffected", "packageName": "org.springframework.data:spring-data-gemfire", "product": "Spring Data Gemfire", "repo": "https://github.com/spring-attic/spring-data-gemfire", "vendor": "VMware", "versions": [{"lessThanOrEqual": "2.2.13.RELEASE", "status": "affected", "version": "1.7.0.RELEASE", "versionType": "maven"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A zip-slip path traversal vulnerability in Spring Data Geode's import snapshot functionality allows attackers to write files outside the intended extraction directory. This vulnerability appears to be susceptible on Windows OS only.<br>"}], "value": "A zip-slip path traversal vulnerability in Spring Data Geode's import snapshot functionality allows attackers to write files outside the intended extraction directory. This vulnerability appears to be susceptible on Windows OS only."}], "impacts": [{"capecId": "CAPEC-126", "descriptions": [{"lang": "en", "value": "CAPEC-126 Path Traversal"}]}, {"capecId": "CAPEC-139", "descriptions": [{"lang": "en", "value": "CAPEC-139 Relative Path Traversal"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-23", "description": "CWE-23 Relative Path Traversal", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "36c7be3b-2937-45df-85ea-ca7133ea542c", "shortName": "HeroDevs", "dateUpdated": "2026-02-20T16:03:21.032Z"}, "references": [{"url": "https://www.herodevs.com/vulnerability-directory/cve-2026-2818"}], "source": {"discovery": "EXTERNAL"}, "tags": ["unsupported-when-assigned", "x_open-source"], "title": "Zip Slip Path Traversal in Snapshot Archive Extraction (Windows-Specific)", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-20T20:12:17.872342Z", "id": "CVE-2026-2818", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-20T20:12:35.205Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2818", "assignerOrgId": "36c7be3b-2937-45df-85ea-ca7133ea542c", "state": "PUBLISHED", "assignerShortName": "HeroDevs", "dateReserved": "2026-02-19T17:07:41.627Z", "datePublished": "2026-02-20T16:03:21.032Z", "dateUpdated": "2026-02-20T20:12:35.205Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "packageName": "org.springframework.data:spring-data-geode", "product": "Spring Data Geode", "repo": "https://github.com/spring-attic/spring-data-geode", "vendor": "VMware", "versions": [{"lessThanOrEqual": "2.7.18", "status": "affected", "version": "2.0.0.RELEASE", "versionType": "maven"}]}, {"defaultStatus": "unaffected", "packageName": "org.springframework.data:spring-data-gemfire", "product": "Spring Data Gemfire", "repo": "https://github.com/spring-attic/spring-data-gemfire", "vendor": "VMware", "versions": [{"lessThanOrEqual": "2.2.13.RELEASE", "status": "affected", "version": "1.7.0.RELEASE", "versionType": "maven"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A zip-slip path traversal vulnerability in Spring Data Geode's import snapshot functionality allows attackers to write files outside the intended extraction directory. This vulnerability appears to be susceptible on Windows OS only.<br>"}], "value": "A zip-slip path traversal vulnerability in Spring Data Geode's import snapshot functionality allows attackers to write files outside the intended extraction directory. This vulnerability appears to be susceptible on Windows OS only."}], "impacts": [{"capecId": "CAPEC-126", "descriptions": [{"lang": "en", "value": "CAPEC-126 Path Traversal"}]}, {"capecId": "CAPEC-139", "descriptions": [{"lang": "en", "value": "CAPEC-139 Relative Path Traversal"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-23", "description": "CWE-23 Relative Path Traversal", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "36c7be3b-2937-45df-85ea-ca7133ea542c", "shortName": "HeroDevs", "dateUpdated": "2026-02-20T16:03:21.032Z"}, "references": [{"url": "https://www.herodevs.com/vulnerability-directory/cve-2026-2818"}], "source": {"discovery": "EXTERNAL"}, "tags": ["unsupported-when-assigned", "x_open-source"], "title": "Zip Slip Path Traversal in Snapshot Archive Extraction (Windows-Specific)", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2818", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-20T20:12:17.872342Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-20T20:12:24.717Z"}}]}}

{"cveTags": [{"sourceIdentifier": "36c7be3b-2937-45df-85ea-ca7133ea542c", "tags": ["unsupported-when-assigned"]}], "descriptions": [{"lang": "en", "value": "A zip-slip path traversal vulnerability in Spring Data Geode's import snapshot functionality allows attackers to write files outside the intended extraction directory. This vulnerability appears to be susceptible on Windows OS only."}], "id": "CVE-2026-2818", "lastModified": "2026-02-20T18:57:15.973", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.7, "source": "36c7be3b-2937-45df-85ea-ca7133ea542c", "type": "Secondary"}]}, "published": "2026-02-20T17:25:57.980", "references": [{"source": "36c7be3b-2937-45df-85ea-ca7133ea542c", "url": "https://www.herodevs.com/vulnerability-directory/cve-2026-2818"}], "sourceIdentifier": "36c7be3b-2937-45df-85ea-ca7133ea542c", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-23"}], "source": "36c7be3b-2937-45df-85ea-ca7133ea542c", "type": "Secondary"}]}

{}

{}