Zip-Slip Path Traversal Vulnerability in Spring Data Geode
CVE-2026-2818

8.2HIGH

Key Information:

Vendor: Vmware
Status: Spring Data Geode; Spring Data Gemfire
Vendor: CVE Published:; 20 February 2026

What is CVE-2026-2818?

A zip-slip path traversal vulnerability has been identified in the import snapshot functionality of Spring Data Geode. This issue could allow attackers to manipulate file paths to write files outside the designated extraction directory, leading to potential unauthorized file access and manipulation. It is important to note that this vulnerability is specific to the Windows operating system, which could expose users to greater risks if not properly mitigated.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Spring Data Gemfire 1.7.0.RELEASE <= 2.2.13.RELEASE

Spring Data Geode 2.0.0.RELEASE <= 2.7.18

References

https://www.herodevs.com/vulnerability-directory/cve-2026...

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Feb 20, 2026
Vulnerability Reserved
Feb 19, 2026

JSON

Vmware