VYPR

Vendor CVEs

Spring Projects

All CVEs

116 total · sorted by risk
  • CVE-2026-41846MedJun 9, 2026
    risk 0.38cvss 5.9epss 0.00

    Spring MVC applications which accept user-supplied values in the cssClass, cssErrorClass, or cssStyle attributes of JSP form tags allow arbitrary HTML/JavaScript code injection, potentially resulting in a cross-site scripting (XSS) vulnerability. Affected versions: Spring…

  • CVE-2026-41843MedJun 9, 2026
    risk 0.38cvss 5.9epss 0.00

    Spring MVC and WebFlux applications are vulnerable to Path Traversal attacks when resolving static resources. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.

  • CVE-2026-41841MedJun 9, 2026
    risk 0.38cvss 5.9epss 0.00

    Spring MVC and WebFlux applications are vulnerable to Information Disclosure attacks when resolving static resources. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.

  • CVE-2026-41840MedJun 9, 2026
    risk 0.38cvss 5.9epss 0.00

    Spring WebFlux applications are vulnerable to Denial of Service (DoS) attacks when processing multipart requests. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.

  • CVE-2026-41710MedJun 9, 2026
    risk 0.38cvss 5.9epss 0.00

    An attacker can craft a large number of unique requests that trigger a failure, exhausting the capacity of the application-wide stateful retry cache. Once the cache is full, it permanently rejects any further updates, causing all later stateful retries and circuit breakers in…

  • CVE-2026-47838MedJun 10, 2026
    risk 0.37cvss 6.8epss 0.00

    SubjectDnX509PrincipalExtractor does not correctly handle certain malformed X.509 certificate CN values, which can lead to reading the wrong value for the username. In a carefully crafted certificate, this can lead to an attacker impersonating another user. Affected versions:…

  • CVE-2026-40990MedJun 1, 2026
    risk 0.37cvss 5.7epss 0.00

    OOM error is possible while attempting to add infinite amount of functions to Function Registry. Affected Spring Products and Versions: Spring Cloud Function 3.2.x: versions prior to 3.2.16 Spring Cloud Function 4.1.x: versions prior to 4.1.10 Spring Cloud Function 4.2.x:…

  • CVE-2026-41726MedJun 10, 2026
    risk 0.35cvss 6.5epss 0.00

    When an application opts into DelegatingDeserializer, a producer can grow the consumer's heap without bound by sending records with unique random spring.kafka.serialization.selector header values, eventually causing GC thrash and OutOfMemoryError. Affected versions: Spring for…

  • CVE-2025-41234MedJun 12, 2025
    risk 0.35cvss 6.5epss 0.01

    Description In Spring Framework, versions 6.0.x as of 6.0.5, versions 6.1.x and 6.2.x, an application is vulnerable to a reflected file download (RFD) attack when it sets a “Content-Disposition” header with a non-ASCII charset, where the filename attribute is derived from…

  • CVE-2026-40997MedJun 11, 2026
    risk 0.34cvss 5.3epss 0.00

    Several Spring WS integration paths with Spring Security could surface detailed account state (for example locked or disabled user semantics) to remote SOAP clients through exception messages or callback outcomes, instead of failing with generic authentication errors. That…

  • CVE-2026-41837MedJun 10, 2026
    risk 0.34cvss 5.3epss 0.00

    Spring Data REST's Querydsl integration accepts arbitrary persistent property paths as request-parameter filter keys and does not consider Jackson customizations before handing them to Querydsl. Affected versions: Spring Data REST 3.7.0 through 3.7.19; 4.3.0 through 4.3.16;…

  • CVE-2026-41730MedJun 10, 2026
    risk 0.34cvss 5.3epss 0.00

    Spring Data REST serializes the full exception cause chain into HTTP error response bodies, potentially exposing persistence-layer internals to HTTP clients. Affected versions: Spring Data REST 3.7.0 through 3.7.19; 4.3.0 through 4.3.16; 4.4.0 through 4.4.14; 4.5.0 through…

  • CVE-2026-41853MedJun 9, 2026
    risk 0.34cvss 5.3epss 0.00

    Spring MVC and WebFlux applications are vulnerable to Multipart request smuggling attacks. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.

  • CVE-2026-41851MedJun 9, 2026
    risk 0.34cvss 5.3epss 0.00

    Applications which accept user-supplied Spring Expression Language (SpEL) expressions may be vulnerable to a Denial of Service (DoS) attack if the evaluation of a SpEL expression triggers unbounded cache growth. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0…

  • CVE-2024-38828MedNov 18, 2024
    risk 0.34cvss 5.3epss 0.01

    Spring MVC controller methods with an @RequestBody byte[] method parameter are vulnerable to a DoS attack.

  • CVE-2024-22258MedMar 20, 2024
    risk 0.33cvss 6.1epss 0.01

    Spring Authorization Server versions 1.0.0 - 1.0.5, 1.1.0 - 1.1.5, 1.2.0 - 1.2.2 and older unsupported versions are susceptible to a PKCE Downgrade Attack for Confidential Clients. Specifically, an application is vulnerable when a Confidential Client uses PKCE for the…

  • CVE-2026-40986MedJun 11, 2026
    risk 0.31cvss 4.8epss 0.00

    Spring Web Flow's JavaScript RemotingHandler renders the body of an error response as HTML even when the response is not "text/html", which can result in a scripting attack in the user's browser if the error response from the server contains error details with input reflected…

  • CVE-2026-41697MedJun 10, 2026
    risk 0.31cvss 4.8epss 0.00

    Spring Data Relational does not properly escape binding values of externally-controlled input when using StringMatcher (STARTING, ENDING, or CONTAINING) in Query By Example (QBE). An attacker can supply wildcard characters to perform boolean-based blind data inference. Affected…

  • CVE-2026-41847MedJun 9, 2026
    risk 0.31cvss 4.8epss 0.00

    Spring WebFlux applications may be vulnerable to a security bypass when using the Kotlin Router DSL. Affected versions: Spring Framework 5.3.0 through 5.3.48.

  • CVE-2026-40989MedJun 1, 2026
    risk 0.30cvss 5.7epss 0.00

    Under infinite recursion in the routing layer, request-handling can cause OOM error. Affected Spring Products and Versions: Spring Cloud Function 3.2.x: versions prior to 3.2.16 Spring Cloud Function 4.1.x: versions prior to 4.1.10 Spring Cloud Function 4.2.x: versions prior to…

  • CVE-2026-41701MedJun 10, 2026
    risk 0.29cvss 4.4epss 0.00

    Correlation IDs for replies in the RabbitTemplate.sendAndReceive() with the fixed reply queue are predictable due to internal simple counter. Affected versions: Spring AMQP 4.0.0 through 4.0.3; 3.2.0 through 3.2.10; 3.1.0 through 3.1.15; 2.4.0 through 2.4.17.

  • CVE-2025-41254MedOct 16, 2025
    risk 0.28cvss 4.3epss 0.00

    STOMP over WebSocket applications may be vulnerable to a security bypass that allows an attacker to send unauthorized messages. Affected Spring Products and VersionsSpring Framework: * 6.2.0 - 6.2.11 * 6.1.0 - 6.1.23 * 6.0.x - 6.0.29 * 5.3.0 - 5.3.45 * Older,…

  • CVE-2026-41001MedJun 11, 2026
    risk 0.27cvss 5.3epss 0.00

    Spring Boot's ArtemisEmbeddedConfigurationFactory uses a fixed, static path for the embedded Artemis message broker's data directory when no explicit path is configured. A local attacker on the same host can pre-create this predictable directory or place a symlink before the…

  • CVE-2026-41854MedJun 9, 2026
    risk 0.27cvss 4.2epss 0.00

    Due to incorrect host parsing, applications that rely on UriComponentsBuilder to parse and validate an externally provided URL string may be exposed to a server-side request forgery (SSRF) attack. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18.

  • CVE-2026-41844MedJun 9, 2026
    risk 0.27cvss 4.2epss 0.00

    A Spring MVC or Spring WebFlux application which configures a mapping for "/**" where the view name is not explicitly specified allows an attacker to craft a link resulting in a 302 redirect to an arbitrary external host via the redirect: prefix. Affected versions: Spring…

  • CVE-2026-41839MedJun 9, 2026
    risk 0.27cvss 4.2epss 0.00

    A WebFlux application with a compromised subdomain (for example, compromised via cross-site scripting (XSS)) is vulnerable to an escalation attack exchanging a known session ID for that of an authenticated user. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0…

  • CVE-2025-22223MedMar 24, 2025
    risk 0.27cvss 5.3epss 0.00

    Spring Security 6.4.0 - 6.4.3 may not correctly locate method security annotations on parameterized types or methods. This may cause an authorization bypass.  You are not affected if you are not using @EnableMethodSecurity, or you do not have method security annotations on…

  • CVE-2026-41714MedJun 10, 2026
    risk 0.26cvss 4.0epss 0.00

    Applications that configure their broker connection via RabbitConnectionFactoryBean.setUri("amqps://...") without also calling setUseSSL(true) get TLS encryption with no certificate validation and no hostname verification. Affected versions: Spring AMQP 4.0.0 through 4.0.3;…

  • CVE-2026-41000LowJun 11, 2026
    risk 0.24cvss 3.7epss 0.00

    Wss4jSecurityInterceptor did not consistently wire Apache WSS4J ReplayCache instances into RequestData for validation-time checks. As a result, protections against replay of UsernameToken nonces and creation timestamps, Timestamp elements, and certain SAML one-time-use semantics…

  • CVE-2026-41848LowJun 9, 2026
    risk 0.24cvss 3.7epss 0.00

    Applications may be vulnerable to a Regular Expression Denial of Service (ReDoS) attack if an attacker is able to provide a pattern which is then directly or indirectly supplied to one of the following methods in AntPathMatcher: match(String pattern, String path),…

  • CVE-2026-41838MedJun 9, 2026
    risk 0.24cvss 4.8epss 0.00

    IDs for WebSocket sessions in the spring-websocket module are not cryptographically unpredictable, which may be possible to exploit in combination with inadequate authorization rules. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through…

  • CVE-2024-38827MedDec 2, 2024
    risk 0.24cvss 4.8epss 0.00

    The usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in authorization rules not working properly.

  • CVE-2026-41694LowJun 10, 2026
    risk 0.17cvss 3.7epss 0.00

    Since Spring Security SAML decrypts SAML Responses as well as elements of SAML LogoutRequests and LogoutResponses without requiring a valid signature, attackers may be able to craft these SAML payloads and use the Service Provider as a decryption oracle. Affected versions:…

  • CVE-2026-41852LowJun 9, 2026
    risk 0.17cvss 3.7epss 0.00

    A vulnerability in Spring Expression Language (SpEL) evaluation logic allows for arbitrary zero-argument method invocation, even within restricted or read-only contexts, which may allow an attacker to invoke unintended application logic. Affected versions: Spring Framework…

  • CVE-2022-22965KEVApr 1, 2022
    risk 0.16cvss epss 1.00

    A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar,…

  • CVE-2025-22233LowMay 16, 2025
    risk 0.13cvss 3.1epss 0.00

    CVE-2024-38820 ensured Locale-independent, lowercase conversion for both the configured disallowedFields patterns and for request parameter names. However, there are still cases where it is possible to bypass the disallowedFields checks. Affected Spring Products and Versions …

  • CVE-2019-3799May 6, 2019
    risk 0.10cvss epss 0.85

    Spring Cloud Config, versions 2.1.x prior to 2.1.2, versions 2.0.x prior to 2.0.4, and versions 1.4.x prior to 1.4.6, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or…

  • CVE-2019-11269Jun 12, 2019
    risk 0.04cvss epss 0.09

    Spring Security OAuth versions 2.3 prior to 2.3.6, 2.2 prior to 2.2.5, 2.1 prior to 2.1.5, and 2.0 prior to 2.0.18, as well as older unsupported versions could be susceptible to an open redirector attack that can leak an authorization code. A malicious user or attacker can craft…

  • CVE-2019-3778Mar 7, 2019
    risk 0.04cvss epss 0.16

    Spring Security OAuth, versions 2.3 prior to 2.3.5, and 2.2 prior to 2.2.4, and 2.1 prior to 2.1.4, and 2.0 prior to 2.0.17, and older unsupported versions could be susceptible to an open redirector attack that can leak an authorization code. A malicious user or attacker can…

  • CVE-2023-34050Oct 19, 2023
    risk 0.03cvss epss 0.02

    In spring AMQP versions 1.0.0 to 2.4.16 and 3.0.0 to 3.0.9 , allowed list patterns for deserializable class names were added to Spring AMQP, allowing users to lock down deserialization of data in messages from untrusted sources; however by default, when no allowed list…

  • CVE-2022-31692Oct 31, 2022
    risk 0.01cvss epss 0.03

    Spring Security, versions 5.7 prior to 5.7.5 and 5.6 prior to 5.6.9 could be susceptible to authorization rules bypass via forward or include dispatcher types. Specifically, an application is vulnerable when all of the following are true: The application expects that Spring…

  • CVE-2026-41862Jun 23, 2026
    risk 0.00cvss epss 0.00

    Spring Statemachine's Kryo-based persistence backends (JPA, MongoDB, Redis and ZooKeeper) deserialise persisted state-machine contexts without enforcing a class allowlist (CWE-502, deserialisation of untrusted data), which can lead to remote code execution inside the application…

  • CVE-2026-22739Mar 24, 2026
    risk 0.00cvss epss 0.01

    Vulnerability in Spring Cloud when substituting the profile parameter from a request made to the Spring Cloud Config Server configured to the native file system as a backend, because it was possible to access files outside of the configured search directories.This issue affects…

  • CVE-2024-38808Aug 20, 2024
    risk 0.00cvss epss 0.01

    In Spring Framework versions 5.3.0 - 5.3.38 and older unsupported versions, it is possible for a user to provide a specially crafted Spring Expression Language (SpEL) expression that may cause a denial of service (DoS) condition. Specifically, an application is vulnerable when…

  • CVE-2024-38810Aug 20, 2024
    risk 0.00cvss epss 0.00

    Missing Authorization When Using @AuthorizeReturnObject in Spring Security 6.3.0 and 6.3.1 allows attacker to render security annotations inaffective.

  • CVE-2024-22259Mar 16, 2024
    risk 0.00cvss epss 0.03

    Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html…

  • CVE-2024-22234Feb 20, 2024
    risk 0.00cvss epss 0.01

    In Spring Security, versions 6.1.x prior to 6.1.7 and versions 6.2.x prior to 6.2.2, an application is vulnerable to broken access control when it directly uses the AuthenticationTrustResolver.isFullyAuthenticated(Authentication) method. Specifically, an application is…

  • CVE-2024-22236Jan 31, 2024
    risk 0.00cvss epss 0.00

    In Spring Cloud Contract, versions 4.1.x prior to 4.1.1, versions 4.0.x prior to 4.0.5, and versions 3.1.x prior to 3.1.10, test execution is vulnerable to local information disclosure via temporary directory created with unsafe permissions through the shaded…

  • CVE-2024-22233Jan 22, 2024
    risk 0.00cvss epss 0.01

    In Spring Framework versions 6.0.15 and 6.1.2, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Specifically, an application is vulnerable when all of the following are true: * the application uses…

  • CVE-2023-34055Nov 28, 2023
    risk 0.00cvss epss 0.01

    In Spring Boot versions 2.7.0 - 2.7.17, 3.0.0-3.0.12 and 3.1.0-3.1.5, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Specifically, an application is vulnerable when all of the following are true: * …