VYPR

Maven package

org.springframework.boot/spring-boot

pkg:maven/org.springframework.boot/spring-boot

Vulnerabilities (5)

  • CVE-2026-40976CriApr 28, 2026
    affected >= 4.0.0, < 4.0.6fixed 4.0.6

    In certain circumstances, Spring Boot's default web security is ineffective allowing unauthorized access to all endpoints. For an application to be vulnerable, it must: be a servlet-based web application; have no Spring Security configuration of its own and rely on the default we

  • CVE-2026-40973HigApr 28, 2026
    affected >= 4.0.0, < 4.0.6fixed 4.0.6

    A local attacker on the same host as the application may be able to take control of the directory used by `ApplicationTemp`. When `server.servlet.session.persistent` is set to `true` and the attack persists across application restarts, this may allow the attacker to read session

  • CVE-2025-22235HigApr 28, 2025
    affected <= 2.7.24.2

    EndpointRequest.to() creates a matcher for null/** if the actuator endpoint, for which the EndpointRequest has been created, is disabled or not exposed. Your application may be affected by this if all the following conditions are met: * You use Spring Security * EndpointR

  • CVE-2022-27772Mar 30, 2022
    affected < 2.2.11.RELEASEfixed 2.2.11.RELEASE

    spring-boot versions prior to version v2.2.11.RELEASE was vulnerable to temporary directory hijacking. This vulnerability impacted the org.springframework.boot.web.server.AbstractConfigurableWebServerFactory.createTempDir method. NOTE: This vulnerability only affects products and

  • CVE-2018-1196MedMar 19, 2018
    affected >= 1.5.0, < 1.5.10fixed 1.5.10

    Spring Boot supports an embedded launch script that can be used to easily run the application as a systemd or init.d linux service. The script included with Spring Boot 1.5.9 and earlier and 2.0.0.M1 through 2.0.0.M7 is susceptible to a symlink attack which allows the "run_user"