## CVE-2026-40973: High-Severity Vulnerability Detected in Spring Boot 3.5.3 Dependency in MidnightBSD Advisory Repository
A high-severity vulnerability, cataloged as CVE-2026-40973, has been identified within the Spring Boot 3.5.3 library component embedded in the MidnightBSD/security-advisory repository. The flaw was detected through automated dependency scanning and surfaced during analysis of the project's HEAD commit on the master branch, signaling potential exposure across any downstream systems leveraging this version of the framework.

The vulnerable artifact, spring-boot-3.5.3.jar, sits as a transitive dependency beneath the root library spring-boot-starter-3.5.3.jar. WhiteSource's security scanner flagged the issue at the path /home/wss-scanner/.m2/repository/org/springframework/boot/spring-boot/3.5.3/spring-boot-3.5.3.jar, with the detection recorded in the project's Maven dependency manifest at /pom.xml. The specific nature and exploitation requirements of CVE-2026-40973 remain undisclosed in available tracking data, leaving security teams to await published vulnerability intelligence to assess actual risk exposure.

The discovery in an open-source security-advisory repository raises broader concerns about supply-chain hygiene and the propagation of vulnerable dependencies through common build pipelines. Spring Boot, as a widely deployed Java application framework, sits at the foundation of numerous enterprise systems. Organizations relying on repositories with similar dependency graphs should conduct immediate reconciliation against their own artifact caches and consider temporary mitigations pending full CVE disclosure and patch availability from the Spring project maintainers.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: CVE-2026-40973, Spring Boot, dependency vulnerability, supply chain security, Java
- **Credibility**: unverified
- **Published**: 2026-04-29 02:54:10
- **ID**: 78045
- **URL**: https://whisperx.ai/en/intel/78045