This Week in Spring - March 24th, 2026

Hi, Spring fans! Welcome to yet another rip-roarin' installment of This Week in Spring. As usual, we've got a ton to look into, so let's dive right in! Happy 22nd birthday to Spring Framework, released this day 22 years ago! and of course, next week, 1 April 2026, marks 12 years since Spring Boot...

PT-2026-27313

Name of the Vulnerable Software and Affected Versions chunjun versions prior to 1.16.1 Description An unreliable data deserialization issue exists in DTStack chunjun, specifically within the chunjun-core/src/main/java/com/dtstack/chunjun/util modules. The problem is linked to the GsonUtil.Java...

ChunJun 安全漏洞

ChunJun is an open-source Flink-based framework for synchronization and processing of heterogeneous data sources developed by Kangaroo Cloud. Versions of ChunJun prior to 1.16.1 contained security vulnerabilities. These vulnerabilities stemmed from the deserialization of untrusted data, which cou...

Joy-Con Droid 安全漏洞

Joy-Con Droid is an open-source application developed by TeamJCD that transforms Android devices into game controllers. Versions of Joy-Con Droid prior to 1.0.93 contained security vulnerabilities, which were caused by path traversal attacks. These vulnerabilities could lead to issues with the...

xyz.erupt:erupt-sample (>=1.13.2 <=1.13.3) potentially affected by CVE-2026-4593 via xyz.erupt:erupt-ai (>=1.13.2 <=1.13.3)

xyz.erupt:erupt-ai MAVEN version =1.13.2, =1.13.2, =1.13.3 Source cves: CVE-2026-4593 Source advisory: SNYK:JAVA-XYZERUPT-15812217...

com.braimanm:uitaf (>=3.0.0 <=3.2.3), com.braimanm:uitaf-playwright (>=1.0.0-alpha <=1.0.1-alpha) +7 more potentially affected by CVE-2026-33166 via io.qameta.allure:allure-generator (>=2.10.0 <=2.37.0)

io.qameta.allure:allure-generator MAVEN version =2.10.0, =3.0.0, =1.0.0-alpha, =1.1.0, =0.1.17, =0.1.17, =1.0-RC1, =2.10.0, =2.37.0 - org.uitaf:uitaf-playwright =1.0.1 Source cves: CVE-2026-33166 Source advisory: SNYK:JAVA-IOQAMETAALLURE-15763503...

Security Bulletin: IBM Sterling Connect:Direct for Unix is impacted by vulnerabilities due to IBM Java 17

Summary IBM Java 17 is used by IBM Sterling Connect:Direct for UNIX in product configuration and data transmission. IBM Sterling Connect:Direct for UNIX is impacted by vulnerabilities in IBM Java 17. IBM Sterling Connect:Direct for UNIX has upgraded IBM Java 17 to address the issues. Vulnerabilit...

OESA-2026-1690 mchange-commons security update

General tool, part of c3p0. Security Fixes: mchange-commons-java, a library that provides Java utilities, includes code that mirrors early implementations of JNDI functionality, including support for remote factoryClassLocation values, by which code can be downloaded and invoked within a running...

Security Bulletin: IBM Engineering Lifecycle Management - Jazz Foundation is impacted by vulnerabilities in Eclipse Paho Java client library

Summary A vulnerability has been identified in Eclipse Paho Java client library, which is used in IBM Engineering Lifecycle Management - Jazz Foundation. Vulnerability Details CVEID:CVE-2019-11777 DESCRIPTION: In the Eclipse Paho Java client library version 1.2.0, when connecting to an MQTT serve...

CVE-2026-32939

DataEase is an open source data visualization analysis tool. Versions 2.10.19 and below have inconsistent Locale handling between the JDBC URL validation logic and the H2 JDBC engine's internal parsing. DataEase uses String.toUpperCase without specifying an explicit Locale, causing its security...

ai.ancf.lmos-router:lmos-router-llm-in-spring-cloud-gateway-demo (>=0.2.0 <=0.28.0), ai.ancf.lmos:arc-graphql-spring-boot-starter (>=0.1.1 <=0.120.0) +2889 more potentially affected by CVE-2026-22737 via org.springframework:spring-webflux (>=6.0.0 <=6.2.16)

org.springframework:spring-webflux MAVEN version =6.0.0, =0.2.0, =0.1.1, =0.1.1, =0.0.4, =0.1.0, =0.6.0, =0.6.0, =1.0.0, =1.0.0, =0.2.2, =1.2.4, =1.2.4, =1.2.4, =1.2.4, =1.2.6 and more Source cves: CVE-2026-22737 Source advisory: SNYK:JAVA-ORGSPRINGFRAMEWORK-15701844...

ai.ancf.lmos-router:lmos-router-llm-in-spring-cloud-gateway-demo (>=0.2.0 <=0.28.0), ai.ancf.lmos:lmos-operator (>=0.0.4 <=0.6.0) +9997 more potentially affected by CVE-2026-22737 via org.springframework:spring-webmvc (>=6.0.0 <=6.2.16)

org.springframework:spring-webmvc MAVEN version =6.0.0, =0.2.0, =0.0.4, =0.5.0, =0.6.0, =0.5.0, =0.7.0, =0.7.0, =0.5.0, =0.7.5, =0.8.3, =0.7.0, =0.5.0, =0.5.0, =0.8.7 and more Source cves: CVE-2026-22737 Source advisory: SNYK:JAVA-ORGSPRINGFRAMEWORK-15701845...

EUVD-2026-13406

Use of Java scripting engine enabled e.g. JRuby, Jython template views in Spring MVC and Spring WebFlux applications can result in disclosure of content from files outside the configured locations for script template views. This issue affects Spring Framework: from 7.0.0 through 7.0.5, from 6.2.0...

CVE-2026-22737

Use of Java scripting engine enabled e.g. JRuby, Jython template views in Spring MVC and Spring WebFlux applications can result in disclosure of content from files outside the configured locations for script template views. This issue affects Spring Framework: from 7.0.0 through 7.0.5, from 6.2.0...

CVE-2026-22737

Use of Java scripting engine enabled e.g. JRuby, Jython template views in Spring MVC and Spring WebFlux applications can result in disclosure of content from files outside the configured locations for script template views. This issue affects Spring Framework: from 7.0.0 through 7.0.5, from 6.2.0...

UBUNTU-CVE-2026-22737

Use of Java scripting engine enabled e.g. JRuby, Jython template views in Spring MVC and Spring WebFlux applications can result in disclosure of content from files outside the configured locations for script template views. This issue affects Spring Framework: from 7.0.0 through 7.0.5, from 6.2.0...

pybbs 代码注入漏洞

pybbs is a Java-developed community platform created by iuiu’s individual developers. Version 6.0.0 of pybbs contains a code injection vulnerability. This vulnerability stems from a cross-site scripting attack in the create function located in the file...

CVE-2026-22737

CVE-2026-22737 affects Spring Framework components that render script template views via a Java scripting engine (e.g., JRuby, Jython) in Spring MVC and Spring WebFlux. The issue allows disclosure of content from files outside configured script template view locations due to the scripting engine ...

CVE-2026-22737

Use of Java scripting engine enabled e.g. JRuby, Jython template views in Spring MVC and Spring WebFlux applications can result in disclosure of content from files outside the configured locations for script template views. This issue affects Spring Framework: from 7.0.0 through 7.0.5, from 6.2.0...

Security Bulletin: Communications Server (CS) for Data Center Deployment and CS for AIX are affected by: IBM SDK, Java Technology Edition Quarterly CPU - Jan 2026 - Includes Oracle January 2026 CPU

Summary Communications Server CS for Data Center Deployment and CS for AIX install a local Java JRE in its product directories. This JRE is used solely for the IBM Key Manager ikeyman tool which is called by the snakeyman script used for managing the SSL key database used by the TN3270 Server and...