CVE-2026-22737

CWE-22 — Path Traversal8 documents7 sources

Severity

5.9MEDIUM

EPSS

0.1%

top 80.49%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Spring Spring Framework

Timeline

PublishedMar 20

Description

Use of Java scripting engine enabled (e.g. JRuby, Jython) template views in Spring MVC and Spring WebFlux applications can result in disclosure of content from files outside the configured locations for script template views. This issue affects Spring Framework: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages3 packages

▶Mavenorg.springframework:spring-webflux7.0.0-M1 — 7.0.6+3

▶Mavenorg.springframework:spring-webmvc7.0.0-M1 — 7.0.6+3

▶CVEListV5spring/spring_framework7.0.0 — 7.0.5+3

🔴Vulnerability Details

OSV

CVE-2026-22737: Use of Java scripting engine enabled (e↗2026-03-20

▶

GHSA

Spring Framework Improper Path Limitation with Script View Templates↗2026-03-20

▶

OSV

Spring Framework Improper Path Limitation with Script View Templates↗2026-03-20

▶

CVEList

Spring Framework Improper Path Limitation with Script View Templates↗2026-03-19

▶

📋Vendor Advisories

Red Hat

Spring Framework: Spring Framework: Information disclosure via Java scripting engine enabled template views↗2026-03-19

▶

Debian

CVE-2026-22737: libspring-java - Use of Java scripting engine enabled (e.g. JRuby, Jython) template views in Spri...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-22737 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶