Security Bulletin: MongoDB Enterprised Advanced affected by: Improper Locking, Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CVE-2026-22735, CVE-2026-22737)

Summary There are vulnerabilities in spring-web-6.2.15.jar, spring-webmvc-6.2.15.jar used in MongoDB Enterprised Advanced for IBM, involving CVE-2026-22735, CVE-2026-22737. The vulnerabilities have been addressed. Vulnerability Details CVEID:CVE-2026-22735 DESCRIPTION: Spring MVC and WebFlux...

Security Bulletin: MongoDB Enterprised Advanced affected by: Improper Locking (CVE-2026-22735)

Summary There are vulnerabilities in spring-web-6.2.15.jar, spring-webmvc-6.2.15.jar used in MongoDB Enterprised Advanced for IBM, involving CVE-2026-22735. The vulnerability has been addressed. Vulnerability Details CVEID:CVE-2026-22735 DESCRIPTION: Spring MVC and WebFlux applications are...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to stream corruption in Spring MVC and WebFlux [CVE-2026-22735]

Summary IBM Watson Speech Services Cartridge is vulnerable to stream corruption in Spring MVC and WebFlux when using Server-Sent Events SSE CVE-2026-22735. Spring MVC and WebFlux are used in our speech microservices. This vulnerabilitiy has been addressed. Please read the details for remediation...

Security Bulletin: Multiple Vulnerabilities in IBM CloudPak for AIOps

Summary Multiple vulnerabilities were addressed in IBM Cloud Pak for AIOps version 4.13.1 Vulnerability Details CVEID:CVE-2026-22737 DESCRIPTION: Use of Java scripting engine enabled e.g. JRuby, Jython template views in Spring MVC and Spring WebFlux applications can result in disclosure of conten...

Security Bulletin: IBM Sterling Connect:Direct for Microsoft Windows is vulnerable to issues in Spring

Summary There are vulnerabilities in Spring used by IBM Sterling Connect:Direct for Microsoft Windows. IBM Sterling Connect:Direct for Microsoft Windows has addressed the applicable CVEs CVE-2026-22732, CVE-2026-22735, CVE-2026-22737. Vulnerability Details CVEID:CVE-2026-22737 DESCRIPTION: Use of...

Security Bulletin: Due to use of spring-web-6.2.16.jar, IBM Sterling Connect:Direct Web Services is affected by stream corruption issue when using Server-Sent Events (SSE).

Summary spring-web-6.2.16.jar is used by IBM Sterling Connect:Direct Web Services CVE-2026-22735. Vulnerability Details CVEID:CVE-2026-22735 DESCRIPTION: Spring MVC and WebFlux applications are vulnerable to stream corruption when using Server-Sent Events SSE. This issue affects Spring Foundation...

ai.ancf.lmos-router:lmos-router-llm-in-spring-cloud-gateway-demo (=0.28.0), ai.ancf.lmos:lmos-operator (>=0.0.4 <=0.4.0) +6444 more potentially affected by CVE-2026-22735 via org.springframework:spring-webmvc (>=6.0.0 <=6.1.21)

org.springframework:spring-webmvc MAVEN version =6.0.0, =0.0.4, =0.5.0, =0.6.0, =0.5.0, =0.7.0, =0.7.0, =0.5.0, =0.7.5, =0.8.3, =0.7.0, =0.5.0, =0.5.0, =0.5.0, =cloud-0.1, =cloud-0.2.1 and more Source cves: CVE-2026-22735 Source advisory: OSV:GHSA-6HCQ-HMM3-JJ3C...

ai.platon.pulsar:pulsar-e2e-tests (>=4.5.0 <=4.6.0), ai.platon.pulsar:pulsar-it-tests (>=4.5.0 <=4.6.0) +1562 more potentially affected by CVE-2026-22735 via org.springframework:spring-webmvc (>=7.0.0-M1 <=7.0.5)

org.springframework:spring-webmvc MAVEN version =7.0.0-M1, =4.5.0, =4.5.0, =4.5.0, =4.5.0, =4.5.0, =2.0.0-beta-1, =0.1.1, =0.2.0, =0.5.0, =0.7.0, =0.5.0, =0.5.0, =0.7.5 and more Source cves: CVE-2026-22735 Source advisory: OSV:GHSA-6HCQ-HMM3-JJ3C...

ai.ancf.lmos-router:lmos-router-llm-in-spring-cloud-gateway-demo (>=0.2.0 <=0.28.0), ai.ancf.lmos:arc-graphql-spring-boot-starter (>=0.1.1 <=0.112.0) +1640 more potentially affected by CVE-2026-22735 via org.springframework:spring-webflux (>=6.0.0 <=6.1.21)

org.springframework:spring-webflux MAVEN version =6.0.0, =0.2.0, =0.1.1, =0.1.1, =0.0.4, =0.1.0, =0.6.0, =0.6.0, =0.2.2, =0.0.6, =0.0.6, =4.5.0, =1.2.0, =1.3.0 and more Source cves: CVE-2026-22735 Source advisory: OSV:GHSA-6HCQ-HMM3-JJ3C...

ai.platon.pulsar:pulsar-e2e-tests (>=4.5.0 <=4.6.0), ai.platon.pulsar:pulsar-it-tests (>=4.5.0 <=4.6.0) +583 more potentially affected by CVE-2026-22735 via org.springframework:spring-webflux (>=7.0.0-M7 <=7.0.5)

org.springframework:spring-webflux MAVEN version =7.0.0-M7, =4.5.0, =4.5.0, =4.5.0, =4.5.0, =4.7.0, =2.0.8, =4.0.0.0-M2, =4.0.0.0-M2, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.2 and more Source cves: CVE-2026-22735 Source advisory: OSV:GHSA-6HCQ-HMM3-JJ3C...

africa.absa:inception-application (>=1.1.0 <=1.2.0), africa.absa:inception-test (>=1.1.0 <=1.2.0) +1987 more potentially affected by CVE-2026-22735 via org.springframework:spring-webflux (>=5.3.0 <=5.3.39)

org.springframework:spring-webflux MAVEN version =5.3.0, =1.1.0, =1.1.0, =j11.2.6.0, =v0.3.12, =v0.3.12, =v0.3.12, =4.1.36, =4.1.36, =1.7, =1.0, =1.0.0, =1.0.1, =1.0.6 and more Source cves: CVE-2026-22735 Source advisory: OSV:GHSA-6HCQ-HMM3-JJ3C...

CVE-2026-22735

Spring MVC and WebFlux applications are vulnerable to stream corruption when using Server-Sent Events SSE. This issue affects Spring Foundation: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46...

Linux Distros Unpatched Vulnerability : CVE-2026-22735

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Spring MVC and WebFlux applications are vulnerable to stream corruption when using Server-Sent Events SSE. This issue affects Spring Foundation: from 7.0.0...

ai.ancf.lmos-router:lmos-router-llm-in-spring-cloud-gateway-demo (>=0.2.0 <=0.28.0), ai.ancf.lmos:lmos-operator (>=0.0.4 <=0.6.0) +9997 more potentially affected by CVE-2026-22735 via org.springframework:spring-webmvc (>=6.0.0 <=6.2.16)

org.springframework:spring-webmvc MAVEN version =6.0.0, =0.2.0, =0.0.4, =0.5.0, =0.6.0, =0.5.0, =0.7.0, =0.7.0, =0.5.0, =0.7.5, =0.8.3, =0.7.0, =0.5.0, =0.5.0, =0.8.7 and more Source cves: CVE-2026-22735 Source advisory: SNYK:JAVA-ORGSPRINGFRAMEWORK-15701756...

ai.platon.pulsar:pulsar-e2e-tests (>=4.5.0 <=4.6.0), ai.platon.pulsar:pulsar-it-tests (>=4.5.0 <=4.6.0) +1550 more potentially affected by CVE-2026-22735 via org.springframework:spring-webmvc (>=7.0.0 <=7.0.5)

org.springframework:spring-webmvc MAVEN version =7.0.0, =4.5.0, =4.5.0, =4.5.0, =4.5.0, =4.5.0, =2.0.0-beta-1, =0.1.1, =0.2.0, =0.5.0, =0.7.0, =0.5.0, =0.5.0, =0.7.5 and more Source cves: CVE-2026-22735 Source advisory: SNYK:JAVA-ORGSPRINGFRAMEWORK-15701756...

acegisecurity:acegi-security (=0.7.0), acegisecurity:acegi-security-cas (=0.7.0) +5 more potentially affected by CVE-2026-22735 via springframework:spring-web (>=1.0.1 <=1.2.1)

springframework:spring-web MAVEN version =1.0.1, =1.0-rc2, =1.0-rc3 Source cves: CVE-2026-22735 Source advisory: SNYK:JAVA-SPRINGFRAMEWORK-15701758...

ai.platon.pulsar:pulsar-e2e-tests (>=4.5.0 <=4.6.0), ai.platon.pulsar:pulsar-it-tests (>=4.5.0 <=4.6.0) +2677 more potentially affected by CVE-2026-22735 via org.springframework:spring-web (>=7.0.0 <=7.0.5)

org.springframework:spring-web MAVEN version =7.0.0, =4.5.0, =4.5.0, =4.5.0, =4.5.0, =4.5.0, =2.0.0-beta-1, =0.1.1, =4.7.0, =0.2.0, =0.5.0, =0.7.0, =0.7.5 - be.appify.prefab:prefab-core =0.2.0 - be.appify.prefab:prefab-kafka =0.2.0 and more Source cves: CVE-2026-22735 Source advisory:...