CVE-2026-22735 Server Sent Event stream corruption

Spring MVC and WebFlux applications are vulnerable to stream corruption when using Server-Sent Events SSE. This issue affects Spring Foundation: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46...

CVE-2026-22735

Spring MVC and WebFlux applications are vulnerable to stream corruption when using Server-Sent Events SSE. This issue affects Spring Foundation: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46...

CVE-2026-22735

Spring MVC and WebFlux applications are vulnerable to stream corruption when using Server-Sent Events SSE. This issue affects Spring Foundation: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46...

CVE-2026-22733 Authentication Bypass under Actuator CloudFoundry endpoints

Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under the path used by the CloudFoundry Actuator endpoints. This issue affects Spring Security: from 4.0.0 through 4.0.3, from...

CVE-2026-22733

Summary of CVE-2026-22733 : Affected are Spring Boot applications using Actuator with a misconfigured endpoint under the CloudFoundry Actuator path. The issue is described as an Authentication Bypass in several Spring Security versions (2.7.0–2.7.31, 3.3.0–3.3.17, 3.4.0–3.4.14, 3.5.0–3.5.11, 4.0....

CVE-2026-22733

Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under the path used by the CloudFoundry Actuator endpoints. This issue affects Spring Security: from 4.0.0 through 4.0.3, from...

CVE-2026-22733 Authentication Bypass under Actuator CloudFoundry endpoints

Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under the path used by the CloudFoundry Actuator endpoints. This issue affects Spring Security: from 4.0.0 through 4.0.3, from...

CVE-2026-22732

When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written. This issue affects Spring Security Servlet applications using lazy default writing of HTTP Headers: : from 5.7.0 through 5.7.21, from...

CVE-2026-22731

Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under a specific path, already configured for a Health Group additional path. This issue affects Spring Boot: from 4.0 before...

CVE-2026-22732 Under Some Conditions Spring Security HTTP Headers Are not Written

When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written. This issue affects Spring Security Servlet applications using lazy default writing of HTTP Headers: : from 5.7.0 through 5.7.21, from...

CVE-2026-22732 Under Some Conditions Spring Security HTTP Headers Are not Written

When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written. This issue affects Spring Security Servlet applications using lazy default writing of HTTP Headers: : from 5.7.0 through 5.7.21, from...

CVE-2026-22732

When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written. This issue affects Spring Security Servlet applications using lazy default writing of HTTP Headers: : from 5.7.0 through 5.7.21, from...

CVE-2026-22732

CVE-2026-22732 affects Spring Security; multiple non-legacy branches are impacted where HTTP response headers for servlet applications may not be written. Affected versions include 5.7.0–5.7.21, 5.8.0–5.8.23, 6.3.0–6.3.14, 6.4.0–6.4.14, 6.5.0–6.5.8, and 7.0.0–7.0.3. The description indicates a he...

CVE-2026-22731

Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under a specific path, already configured for a Health Group additional path. This issue affects Spring Boot: from 4.0 before...

CVE-2026-22731 Authentication Bypass under Actuator Health groups paths

Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under a specific path, already configured for a Health Group additional path. This issue affects Spring Boot: from 4.0 before...

CVE-2026-22731

CVE-2026-22731 affects Spring Boot applications with Actuator. An endpoint that requires authentication, when declared under a specific path already configured for a Health Group additional path, can allow an authentication bypass. Affected versions include Spring Boot 4.0 before 4.0.3, 3.5 befor...

CVE-2026-22733

creationtimestamp| type| source ---|---|--- 2026-03-19 18:03:42+00:00| seen| https://cyber.gc.ca/en/alerts-advisories/spring-security-advisory-av26-259 2026-03-21 03:00:03+00:00| seen| https://spring.io/security/cve-2026-22733 2026-03-21 03:34:16+00:00| seen|...

VMware Spring Boot 安全漏洞

VMware Spring Boot is an open-source framework developed by VMware, a US-based company. Versions of VMware Spring Boot prior to 4.0.3, 3.5.11, and 3.4.15 contained security vulnerabilities. These vulnerabilities stemmed from applications that required authentication when specific paths were...

ai.platon.pulsar:pulsar-e2e-tests (>=4.5.0 <=4.6.0), ai.platon.pulsar:pulsar-it-tests (>=4.5.0 <=4.6.0) +2568 more potentially affected by CVE-2026-22735 via org.springframework:spring-web (>=7.0.0 <=7.0.5)

org.springframework:spring-web MAVEN version =7.0.0, =4.5.0, =4.5.0, =4.5.0, =4.5.0, =4.5.0, =2.0.0-beta-1, =0.1.1, =4.7.0, =0.2.0, =0.5.0, =0.7.0, =0.7.5 - be.appify.prefab:prefab-core =0.2.0 - be.appify.prefab:prefab-kafka =0.2.0 and more Source cves: CVE-2026-22735 Source advisory:...

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Overview org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform. Affected versions of this package are vulnerable to Improper Neutralization of Special Element...