CVE-2026-42555 - Vulnerability Analysis
CriticalCVSS: 9.1Last Updated: May 14, 2026
Valtimo - Remote Code Execution & Credential Exfiltration
Published: May 14, 2026Updated: May 14, 2026Remote Exploitable
Overview
Valtimo com.ritense.valtimo:document < 12.32.0, com.ritense.valtimo:case < 13.23.0, and com.ritense.valtimo:contract < 13.23.0 contain a remote code execution caused by evaluation of user-supplied Spring Expression Language (SpEL) expressions with unrestricted Java access, letting authenticated ADMIN users execute code and exfiltrate credentials.
Severity & Score
Severity: Critical
CVSS Score: 9.1
Impact
Authenticated ADMIN users can execute arbitrary code and exfiltrate credentials, leading to full system compromise.
Mitigation
Upgrade to com.ritense.valtimo:document 12.32.0, com.ritense.valtimo:case 13.23.0, and com.ritense.valtimo:contract 13.23.0 or later.
Related Resources
Details
- CVE ID
- CVE-2026-42555
- Severity
- Critical
- CVSS Score
- 9.1
- Type
- expression_language_injection
- Status
- rejected
CWE
- CWE-94
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H