CVE-2026-27887

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-27887
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27887.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-27887
Aliases
  • GHSA-mv4f-6ffm-32wx
Published
2026-02-26T00:55:53.360Z
Modified
2026-02-26T19:35:12.769130Z
Severity
  • 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H CVSS Calculator
Summary
Spin has memory leaks in various WIT interfaces
Details

Spin is an open source developer tool for building and running serverless applications powered by WebAssembly. When Spin is configured to allow connections to a database or web server which could return responses of unbounded size (e.g. tables with many rows or large content bodies), Spin may in some cases attempt to buffer the entire response before delivering it to the guest, which can lead to the host process running out of memory, panicking, and crashing. In addition, a malicious guest application could incrementally insert a large number of rows or values into a database and then retrieve them all in a single query, leading to large host allocations. Spin 3.6.1, SpinKube 0.6.2, and containerd-shim-spin 0.22.1 have been patched to address the issue. As a workaround, configure Spin to only allow access to trusted databases and HTTP servers which limit response sizes.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27887.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-770",
        "CWE-774",
        "CWE-789"
    ]
}
References

Affected packages

Git / github.com/spinframework/spin

Affected ranges

Type
GIT
Repo
https://github.com/spinframework/spin
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
33b06e57416980a6e14d278498f75d20cbb1ae06
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.6.1"
        }
    ]
}

Affected versions

sdk/go/v0.*
sdk/go/v0.10.0
sdk/go/v0.2.0
sdk/go/v0.3.0
sdk/go/v0.4.0
sdk/go/v0.5.0
sdk/go/v0.6.0
sdk/go/v0.7.0
sdk/go/v0.7.1
sdk/go/v0.8.0
sdk/go/v0.9.0
sdk/go/v1.*
sdk/go/v1.0.0-rc.1
sdk/go/v1.1.0
sdk/go/v1.2.0
sdk/go/v1.3.0
spin/templates/v0.*
spin/templates/v0.10
spin/templates/v0.3
spin/templates/v0.4
spin/templates/v0.5
spin/templates/v0.6
spin/templates/v0.7
spin/templates/v0.8
spin/templates/v0.9
spin/templates/v1.*
spin/templates/v1.0
spin/templates/v1.1
spin/templates/v1.3
spin/templates/v1.5
spin/templates/v3.*
spin/templates/v3.0
v0.*
v0.1.0
v0.1.0-rc.1
v0.1.0-rc.2
v0.1.0-rc.3
v0.1.0-rc.4
v0.10.0
v0.2.0
v0.3.0
v0.4.0
v0.5.0
v0.6.0
v0.7.0
v0.7.1
v0.8.0
v0.9.0
v1.*
v1.0.0-rc.1
v1.1.0
v1.2.0
v1.3.0
v3.*
v3.6.0

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27887.json"
unresolved_ranges 
[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "fixed": "0.6.2"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "fixed": "0.22.1"
            }
        ]
    }
]