GHSA-86qr-9vqc-pgc6 · Severity: critical · Ecosystem: maven — Code execution in Spring Integration
Spring Integration framework provides Kryo Codec implementations as an alternative for Java (de)serialization. When Kryo is configured with default options, all unregistered classes are resolved on demand. This leads to the "deserialization gadgets" exploit when provided data contains malicious code for execution during deserialization. In order to protect against this type of attack, Kryo can be configured to require a set of trusted classes for (de)serialization. Spring Integration should be proactive against blocking unknown "deserialization gadgets" when configuring Kryo in code.
Conclusion & alert: CVE-2020-5413 is rated High Risk (73.4/100): CVSS Critical severity, with high exploitation likelihood (EPSS 4.41%, 90th percentile). Core evidence: EPSS ranks this CVE among the most likely to be exploited in the near term. EPSS rose +2.64% over the last day, indicating growing attacker interest. Mandatory action: High exploitation likelihood—assess exposure and prioritize remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 1.77% | 4.41% | +2.64% |
| 2 | 2026-06-03 | 2.18% | 1.77% | -0.41% |
| 3 | 2025-11-21 | — | 2.18% | — |
Full EPSS history (22 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 9.8 | 3.1 | CRITICAL |
|
3.9 | 5.9 | [email protected] |
| 7.5 | 2.0 | HIGH |
|
10.0 | 6.4 | [email protected] |
GHSA-86qr-9vqc-pgc6 · Severity: critical · Ecosystem: maven — Code execution in Spring Integration
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| vmware | spring_integration | >= 4.3.0, <= 4.3.22 | cpe:2.3:a:vmware:spring_integration:*:*:*:*:*:*:*:* |
| vmware | spring_integration | >= 5.1.0, <= 5.1.11 | cpe:2.3:a:vmware:spring_integration:*:*:*:*:*:*:*:* |
| vmware | spring_integration | >= 5.2.0, <= 5.2.7 | cpe:2.3:a:vmware:spring_integration:*:*:*:*:*:*:*:* |
| vmware | spring_integration | >= 5.3.0, <= 5.3.1 | cpe:2.3:a:vmware:spring_integration:*:*:*:*:*:*:*:* |
| oracle | banking_corporate_lending_process_management | 14.2.0 | cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.2.0:*:*:*:*:*:*:* |
| oracle | banking_corporate_lending_process_management | 14.3.0 | cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.3.0:*:*:*:*:*:*:* |
| oracle | banking_corporate_lending_process_management | 14.5.0 | cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.5.0:*:*:*:*:*:*:* |
| oracle | banking_credit_facilities_process_management | 14.2.0 | cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.2.0:*:*:*:*:*:*:* |
| oracle | banking_credit_facilities_process_management | 14.3.0 | cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.3.0:*:*:*:*:*:*:* |
| oracle | banking_credit_facilities_process_management | 14.5.0 | cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.5.0:*:*:*:*:*:*:* |
| oracle | banking_supply_chain_finance | 14.2.0 | cpe:2.3:a:oracle:banking_supply_chain_finance:14.2.0:*:*:*:*:*:*:* |
| oracle | banking_supply_chain_finance | 14.3.0 | cpe:2.3:a:oracle:banking_supply_chain_finance:14.3.0:*:*:*:*:*:*:* |
| oracle | banking_supply_chain_finance | 14.5.0 | cpe:2.3:a:oracle:banking_supply_chain_finance:14.5.0:*:*:*:*:*:*:* |
| oracle | banking_virtual_account_management | 14.2.0 | cpe:2.3:a:oracle:banking_virtual_account_management:14.2.0:*:*:*:*:*:*:* |
| oracle | banking_virtual_account_management | 14.3.0 | cpe:2.3:a:oracle:banking_virtual_account_management:14.3.0:*:*:*:*:*:*:* |
| oracle | banking_virtual_account_management | 14.5.0 | cpe:2.3:a:oracle:banking_virtual_account_management:14.5.0:*:*:*:*:*:*:* |
| oracle | flexcube_private_banking | 12.0.0 | cpe:2.3:a:oracle:flexcube_private_banking:12.0.0:*:*:*:*:*:*:* |
| oracle | flexcube_private_banking | 12.1.0 | cpe:2.3:a:oracle:flexcube_private_banking:12.1.0:*:*:*:*:*:*:* |
| oracle | retail_customer_management_and_segmentation_foundation | >= 16.0, <= 19.0 | cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:*:*:*:*:*:*:*:* |
| oracle | retail_merchandising_system | 16.0.3 | cpe:2.3:a:oracle:retail_merchandising_system:16.0.3:*:*:*:*:*:*:* |
| URL | Tags |
|---|---|
| https://tanzu.vmware.com/security/cve-2020-5413 | Vendor Advisory |
| https://www.oracle.com//security-alerts/cpujul2021.html | Patch Third Party Advisory |
| https://www.oracle.com/security-alerts/cpuApr2021.html | Patch Third Party Advisory |
| https://www.oracle.com/security-alerts/cpuapr2022.html | Patch Third Party Advisory |
| https://www.oracle.com/security-alerts/cpuoct2021.html | Patch Third Party Advisory |