VYPR

Spring Framework

by VMware

Source repositories

CVEs (27)

  • CVE-2015-5211CriMay 25, 2017
    risk 0.56cvss 9.6epss 0.03

    Under some situations, the Spring Framework 4.2.0 to 4.2.1, 4.0.0 to 4.1.7, 3.2.0 to 3.2.14 and older unsupported versions is vulnerable to a Reflected File Download (RFD) attack. The attack involves a malicious user crafting a URL with a batch script extension that results in…

  • CVE-2014-0225HigMay 25, 2017
    risk 0.50cvss 8.8epss 0.02

    When processing user provided XML documents, the Spring Framework 4.0.0 to 4.0.4, 3.0.0 to 3.2.8, and possibly earlier unsupported versions did not disable by default the resolution of URI references in a DTD declaration. This enabled an XXE attack.

  • CVE-2026-41842HigJun 9, 2026
    risk 0.49cvss 7.5epss 0.00

    Spring MVC and WebFlux applications are vulnerable to Denial of Service (DoS) attacks when resolving static resources. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.

  • CVE-2026-41845HigJun 9, 2026
    risk 0.46cvss 7.1epss 0.00

    Due to incorrect escaping, the use of JavaScriptUtils.javaScriptEscape() may lead to JavaScript code injection in the browser, potentially resulting in a cross-site scripting (XSS) vulnerability. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18;…

  • CVE-2026-22740MedApr 29, 2026
    risk 0.42cvss 6.5epss 0.00

    A WebFlux server application that processes multipart requests creates temp files for parts larger than 10 K. Under some circumstances, temp files may remain not deleted after the request is fully processed. This allows an attacker to consume available disk space. Older,…

  • CVE-2016-5007HigMay 25, 2017
    risk 0.42cvss 7.5epss 0.03

    Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with…

  • CVE-2016-9878HigDec 29, 2016
    risk 0.42cvss 7.5epss 0.06

    An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks.

  • CVE-2026-41846MedJun 9, 2026
    risk 0.38cvss 5.9epss 0.00

    Spring MVC applications which accept user-supplied values in the cssClass, cssErrorClass, or cssStyle attributes of JSP form tags allow arbitrary HTML/JavaScript code injection, potentially resulting in a cross-site scripting (XSS) vulnerability. Affected versions: Spring…

  • CVE-2026-41843MedJun 9, 2026
    risk 0.38cvss 5.9epss 0.00

    Spring MVC and WebFlux applications are vulnerable to Path Traversal attacks when resolving static resources. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.

  • CVE-2026-41841MedJun 9, 2026
    risk 0.38cvss 5.9epss 0.00

    Spring MVC and WebFlux applications are vulnerable to Information Disclosure attacks when resolving static resources. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.

  • CVE-2026-22737MedMar 20, 2026
    risk 0.38cvss 5.9epss 0.00

    Use of Java scripting engine enabled (e.g. JRuby, Jython) template views in Spring MVC and Spring WebFlux applications can result in disclosure of content from files outside the configured locations for script template views. This issue affects Spring Framework: from 7.0.0…

  • CVE-2026-41851MedJun 9, 2026
    risk 0.34cvss 5.3epss 0.00

    Applications which accept user-supplied Spring Expression Language (SpEL) expressions may be vulnerable to a Denial of Service (DoS) attack if the evaluation of a SpEL expression triggers unbounded cache growth. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0…

  • CVE-2026-22745MedApr 29, 2026
    risk 0.34cvss 5.3epss 0.00

    Spring MVC and WebFlux applications are vulnerable to Denial of Service attacks when resolving static resources. More precisely, an application can be vulnerable when all the following are true: * the application is using Spring MVC or Spring WebFlux * the application…

  • CVE-2026-41847MedJun 9, 2026
    risk 0.31cvss 4.8epss 0.00

    Spring WebFlux applications may be vulnerable to a security bypass when using the Kotlin Router DSL. Affected versions: Spring Framework 5.3.0 through 5.3.48.

  • CVE-2015-3192MedJul 12, 2016
    risk 0.29cvss 5.5epss 0.03

    Pivotal Spring Framework before 3.2.14 and 4.x before 4.1.7 do not properly process inline DTD declarations when DTD is not entirely disabled, which allows remote attackers to cause a denial of service (memory consumption and out-of-memory errors) via a crafted XML file.

  • CVE-2026-41844MedJun 9, 2026
    risk 0.27cvss 4.2epss 0.00

    A Spring MVC or Spring WebFlux application which configures a mapping for "/**" where the view name is not explicitly specified allows an attacker to craft a link resulting in a 302 redirect to an arbitrary external host via the redirect: prefix. Affected versions: Spring…

  • CVE-2026-41848LowJun 9, 2026
    risk 0.24cvss 3.7epss 0.00

    Applications may be vulnerable to a Regular Expression Denial of Service (ReDoS) attack if an attacker is able to provide a pattern which is then directly or indirectly supplied to one of the following methods in AntPathMatcher: match(String pattern, String path),…

  • CVE-2026-22741LowApr 29, 2026
    risk 0.20cvss 3.1epss 0.00

    Spring MVC and WebFlux applications are vulnerable to cache poisoning when resolving static resources. More precisely, an application can be vulnerable when all the following are true: * the application is using Spring MVC or Spring WebFlux * the application is…

  • CVE-2026-41852LowJun 9, 2026
    risk 0.17cvss 3.7epss 0.00

    A vulnerability in Spring Expression Language (SpEL) evaluation logic allows for arbitrary zero-argument method invocation, even within restricted or read-only contexts, which may allow an attacker to invoke unintended application logic. Affected versions: Spring Framework…

  • CVE-2026-22735LowMar 20, 2026
    risk 0.17cvss 2.6epss 0.00

    Spring MVC and WebFlux applications are vulnerable to stream corruption when using Server-Sent Events (SSE). This issue affects Spring Foundation: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46.

Page 1 of 2