ROOT-APP-MAVEN-CVE-2026-22751 CVE-2026-22751 in io.root.org.springframework.security:spring-security-core - Patched by Root

Root has patched CVE-2026-22751 in the io.root.org.springframework.security:spring-security-core package for Root:Maven. Multiple fixed versions available...

ROOT-APP-MAVEN-CVE-2026-22748 CVE-2026-22748 in io.root.org.springframework.security:spring-security-oauth2-jose - Patched by Root

Root has patched CVE-2026-22748 in the io.root.org.springframework.security:spring-security-oauth2-jose package for Root:Maven. Multiple fixed versions available...

ROOT-APP-MAVEN-CVE-2026-22732 CVE-2026-22732 in io.root.org.springframework.security:spring-security-web - Patched by Root

Root has patched CVE-2026-22732 in the io.root.org.springframework.security:spring-security-web package for Root:Maven. Multiple fixed versions available...

ROOT-APP-MAVEN-CVE-2024-38827 CVE-2024-38827 in io.root.org.springframework.security:spring-security-core - Patched by Root

Root has patched CVE-2024-38827 in the io.root.org.springframework.security:spring-security-core package for Root:Maven. Multiple fixed versions available...

ROOT-APP-MAVEN-CVE-2024-38821 CVE-2024-38821 in io.root.org.springframework.security:spring-security-web - Patched by Root

Root has patched CVE-2024-38821 in the io.root.org.springframework.security:spring-security-web package for Root:Maven. Multiple fixed versions available...

ROOT-APP-MAVEN-CVE-2025-22228 CVE-2025-22228 in io.root.org.springframework.security:spring-security-crypto - Patched by Root

Root has patched CVE-2025-22228 in the io.root.org.springframework.security:spring-security-crypto package for Root:Maven. Multiple fixed versions available...

ROOT-APP-MAVEN-CVE-2024-22234 CVE-2024-22234 in io.root.org.springframework.security:spring-security-core - Patched by Root

Root has patched CVE-2024-22234 in the io.root.org.springframework.security:spring-security-core package for Root:Maven. Multiple fixed versions available...

ROOT-APP-MAVEN-CVE-2024-22257 CVE-2024-22257 in io.root.org.springframework.security:spring-security-core - Patched by Root

Root has patched CVE-2024-22257 in the io.root.org.springframework.security:spring-security-core package for Root:Maven. Multiple fixed versions available...

ROOT-APP-MAVEN-CVE-2022-31692 CVE-2022-31692 in io.root.org.springframework.security:spring-security-core - Patched by Root

Root has patched CVE-2022-31692 in the io.root.org.springframework.security:spring-security-core package for Root:Maven. Multiple fixed versions available...

ROOT-APP-MAVEN-CVE-2023-20862 CVE-2023-20862 in io.root.org.springframework.security:spring-security-core - Patched by Root

Root has patched CVE-2023-20862 in the io.root.org.springframework.security:spring-security-core package for Root:Maven. Multiple fixed versions available...

Security Bulletin: MongoDB Enterprised Advanced affected by: Observable Timing Discrepancy (CVE-2026-22746)

Summary There are vulnerabilities in spring-security-core-6.5.9.jar used in MongoDB Enterprised Advanced for IBM, involving CVE-2026-22746. The vulnerability has been addressed. Vulnerability Details CVEID:CVE-2026-22746 DESCRIPTION: Vulnerability in Spring Spring Security. If an application is...

Security Bulletin: Security Vulnerability in Spring Security Affects IBM Sterling B2B Integrator and IBM Sterling File Gateway (CVE-2025-41248)

Summary IBM Sterling B2B Integrator and IBM Sterling File Gateway have addressed the security vulnerability in Spring Security Vulnerability Details CVEID:CVE-2025-41248 DESCRIPTION: The Spring Security annotation detection mechanism may not correctly resolve annotations on methods within type...

Spring Security 5.7.x < 5.7.24 / 5.8.x < 5.8.26 / 6.3.x < 6.3.17 / 6.4.x < 6.4.17 / 6.5.x < 6.5.11 / 7.0.x < 7.0.6 DoS

The version of Spring Security installed on the remote host is 5.7.x prior to 5.7.24, 5.8.x prior to 5.8.26, 6.3.x prior to 6.3.17, 6.4.x prior to 6.4.17, 6.5.x prior to 6.5.11, or 7.0.x prior to 7.0.6. It is, therefore, affected by a vulnerability: - An application using...

CVE-2026-47838

SubjectDnX509PrincipalExtractor does not correctly handle certain malformed X.509 certificate CN values, which can lead to reading the wrong value for the username. In a carefully crafted certificate, this can lead to an attacker impersonating another user. Affected versions: Spring Security 5.7....

CVE-2026-41003

An attacker able to influence values in RelyingPartyRegistration may be able to run arbitrary code on HTML forms generated by Spring Security filters. Affected versions: Spring Security 5.7.0 through 5.7.23; 5.8.0 through 5.8.25; 6.3.0 through 6.3.16; 6.4.0 through 6.4.16; 6.5.0 through 6.5.10;...

CVE-2026-40993

An attacker with write permissions to the database table managed by JdbcAssertingPartyMetadataRepository saml2assertingpartymetadata may be able to store malicious serialized payloads in the columns containing the collection of verification or encryption credentials verificationcredentials and...

CVE-2026-40997

Several Spring WS integration paths with Spring Security could surface detailed account state for example locked or disabled user semantics to remote SOAP clients through exception messages or callback outcomes, instead of failing with generic authentication errors. That behavior assists remote...

CVE-2026-40997 SOAP security faults leak Spring Security account state

Several Spring WS integration paths with Spring Security could surface detailed account state for example locked or disabled user semantics to remote SOAP clients through exception messages or callback outcomes, instead of failing with generic authentication errors. That behavior assists remote...

EUVD-2026-36207

Several Spring WS integration paths with Spring Security could surface detailed account state for example locked or disabled user semantics to remote SOAP clients through exception messages or callback outcomes, instead of failing with generic authentication errors. That behavior assists remote...

CVE-2026-40997

The CVE-2026-40997 issue affects Spring Web Services: versions 5.0.0–5.0.1, 4.1.0–4.1.3, 4.0.0–4.0.18, and 3.1.0–3.1.8. The vulnerability arises when several Spring WS integration paths with Spring Security reveal detailed account state (e.g., locked or disabled user semantics) to remote SOAP cli...