Spring Framework vulnerabilities

CVE-2026-22737 [MEDIUM] CWE-22 CVE-2026-22737: Use of Java scripting engine enabled (e.g. JRuby, Jython) template views in Spring MVC and Spring We Use of Java scripting engine enabled (e.g. JRuby, Jython) template views in Spring MVC and Spring WebFlux applications can result in disclosure of content from files outside the configured locations for script template views. This issue affects Spring Framework: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.

CVE-2025-22233 [LOW] CWE-20 Spring Framework DataBinder Case Sensitive Match Exception Spring Framework DataBinder Case Sensitive Match Exception CVE-2024-38820 ensured Locale-independent, lowercase conversion for both the configured disallowedFields patterns and for request parameter names. However, there are still cases where it is possible to bypass the disallowedFields checks. Affected Spring Products and Versions Spring Framework: * 6.2.0 - 6.2.6 * 6.1.0 - 6.1.19 * 6.0.0 - 6.0.27 * 5.

CVE-2024-38820 [LOW] CWE-178 CVE-2024-38820: The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, S The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected.

CVE-2024-38808 [MEDIUM] CWE-770 CVE-2024-38808: In Spring Framework versions 5.3.0 - 5.3.38 and older unsupported versions, it is possible for a use In Spring Framework versions 5.3.0 - 5.3.38 and older unsupported versions, it is possible for a user to provide a specially crafted Spring Expression Language (SpEL) expression that may cause a denial of service (DoS) condition. Specifically, an application is vulnerable when the following is true: * The application evaluates user-supplied SpEL e

CVE-2024-22262 [HIGH] CVE-2024-22262: Spring Framework URL Parsing with Host Validation CVE-2024-22262: Spring Framework URL Parsing with Host Validation Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks. This is

CVE-2024-22259 [HIGH] CVE-2024-22259: Spring Framework URL Parsing with Host Validation (2nd report) CVE-2024-22259: Spring Framework URL Parsing with Host Validation (2nd report) Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is u

CVE-2024-22243 [HIGH] CWE-601 CVE-2024-22243: Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks.

CVE-2024-22233 [HIGH] CWE-400 CVE-2024-22233: In Spring Framework versions 6.0.15 and 6.1.2, it is possible for a user to provide specially crafte In Spring Framework versions 6.0.15 and 6.1.2, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Specifically, an application is vulnerable when all of the following are true: * the application uses Spring MVC * Spring Security 6.1.6+ or 6.2.1+ is on the classpath Typically, Sp

CVE-2023-34053 [MEDIUM] CVE-2023-34053: In Spring Framework versions 6.0.0 - 6.0.13, it is possible for a user to provide specially crafted In Spring Framework versions 6.0.0 - 6.0.13, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Specifically, an application is vulnerable when all of the following are true: * the application uses Spring MVC or Spring WebFlux * io.micrometer:micrometer-core is on the classpath * an Obse

CVE-2020-5398 [HIGH] CWE-79 CVE-2020-5398: In Spring Framework, versions 5.2.x prior to 5.2.3, versions 5.1.x prior to 5.1.13, and versions 5.0 In Spring Framework, versions 5.2.x prior to 5.2.3, versions 5.1.x prior to 5.1.13, and versions 5.0.x prior to 5.0.16, an application is vulnerable to a reflected file download (RFD) attack when it sets a "Content-Disposition" header in the response where the filename attribute is derived from user supplied input.

CVE-2020-5397 [MEDIUM] CWE-352 CVE-2020-5397: Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CSRF attacks through CORS prefligh Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CSRF attacks through CORS preflight requests that target Spring MVC (spring-webmvc module) or Spring WebFlux (spring-webflux module) endpoints. Only non-authenticated endpoints are vulnerable because preflight requests should not include credentials and therefore requests should fail au