CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Snyk•added 2026/04/22 12:25 p.m.•1 views

Information Exposure

Overview org.springframework.security:spring-security-core is a package that provides security services for the Spring IO Platform. Affected versions of this package are vulnerable to Information Exposure in the DaoAuthenticationProvider component. An attacker can determine the status of user...

6.3CVSS5.5AI score0.00067EPSS

Snyk•added 2026/04/22 12:24 p.m.•1 views

Access Control Bypass

Overview org.springframework.security:spring-security-config is a security configuration package for Spring Framework. Affected versions of this package are vulnerable to Access Control Bypass in the XML authorization rules processing when the servlet-path attribute is used. An attacker can gain...

8.7CVSS5.4AI score0.00055EPSS

vulnersOsv•added 2026/04/22 12:24 p.m.•6 views

be.appify.prefab:prefab-security (>=0.2.0 <=0.7.5), ch.admin.bit.jeap:jeap-audit-command-builder (>=7.0.0-alpha-springboot4 <=7.1.0-alpha-springboot4) +822 more potentially affected by CVE-2026-22754 via org.springframework.security:spring-security-config (>=7.0.0-M1 <=7.0.4)

org.springframework.security:spring-security-config MAVEN version =7.0.0-M1, =0.2.0, =7.0.0-alpha-springboot4, =2.0.0-alpha-springboot4, =5.0.0-alpha-springboot4, =9.0.0-alpha-springboot4, =22.0.0-alpha-springboot4, =22.0.0-alpha-springboot4, =22.0.0-alpha-springboot4, =22.0.0-alpha-springboot4,...

vulnersOsv•added 2026/04/22 12:24 p.m.•3 views

be.appify.prefab:prefab-security (>=0.2.0 <=0.7.5), ch.admin.bit.jeap:jeap-audit-command-builder (>=7.0.0-alpha-springboot4 <=7.1.0-alpha-springboot4) +869 more potentially affected by CVE-2026-22747 via org.springframework.security:spring-security-web (>=7.0.0-M1 <=7.0.4)

org.springframework.security:spring-security-web MAVEN version =7.0.0-M1, =0.2.0, =7.0.0-alpha-springboot4, =2.0.0-alpha-springboot4, =5.0.0-alpha-springboot4, =9.0.0-alpha-springboot4, =22.0.0-alpha-springboot4, =22.0.0-alpha-springboot4, =22.0.0-alpha-springboot4, =22.0.0-alpha-springboot4,...

8.1CVSS5.8AI score0.00031EPSS

EUVD•added 2026/04/22 6:30 a.m.•2 views

EUVD-2026-24612

Vulnerability in Spring Spring Security. If an application uses to define the servlet path for computing a path matcher, then the servlet path is not included and the related authorization rules are not exercised. This can lead to an authorization bypass.This issue affects Spring Security: from...

vulnersOsv•added 2026/04/22 6:30 a.m.•5 views

be.appify.prefab:prefab-security (>=0.2.0 <=0.7.5), ch.admin.bit.jeap:jeap-audit-command-builder (>=7.0.0-alpha-springboot4 <=7.1.0-alpha-springboot4) +818 more potentially affected by CVE-2026-22754 via org.springframework.security:spring-security-config (>=7.0.0 <=7.0.4)

org.springframework.security:spring-security-config MAVEN version =7.0.0, =0.2.0, =7.0.0-alpha-springboot4, =2.0.0-alpha-springboot4, =5.0.0-alpha-springboot4, =9.0.0-alpha-springboot4, =22.0.0-alpha-springboot4, =22.0.0-alpha-springboot4, =22.0.0-alpha-springboot4, =22.0.0-alpha-springboot4,...

OSV•added 2026/04/22 6:30 a.m.•1 views

GHSA-4VRC-J85C-598C Spring Security Doesn't Correctly Include Servlet Path in Path Matching of XML Authorization Rules

OSV•added 2026/04/22 6:30 a.m.•1 views

GHSA-4WRG-8WPC-H923 Spring Security Doesn't Correctly Include Servlet Path in Path Matching of HttpSecurity#securityMatchers

Vulnerability in Spring Spring Security. If an application is using securityMatchersString and a PathPatternRequestMatcher.Builder bean to prepend a servlet path, matching requests to that filter chain may fail and its related security components will not be exercised as intended by the...

7.5CVSS5.8AI score0.00063EPSS

vulnersOsv•added 2026/04/22 6:30 a.m.•5 views

be.appify.prefab:prefab-security (>=0.2.0 <=0.7.5), ch.admin.bit.jeap:jeap-audit-command-builder (>=7.0.0-alpha-springboot4 <=7.1.0-alpha-springboot4) +302 more potentially affected by CVE-2026-22748 via org.springframework.security:spring-security-oauth2-jose (>=7.0.0 <=7.0.4)

org.springframework.security:spring-security-oauth2-jose MAVEN version =7.0.0, =0.2.0, =7.0.0-alpha-springboot4, =2.0.0-alpha-springboot4, =5.0.0-alpha-springboot4, =9.0.0-alpha-springboot4, =22.0.0-alpha-springboot4, =22.0.0-alpha-springboot4, =22.0.0-alpha-springboot4, =22.0.0-alpha-springboot4...

6.5CVSS5.8AI score0.00075EPSS

Github Security Blog•added 2026/04/22 6:30 a.m.•5 views

Spring Security has Potential Security Misconfiguration when Using withIssuerLocation

Vulnerability in Spring Spring Security. When an application configures JWT decoding with NimbusJwtDecoder or NimbusReactiveJwtDecoder, it must configure an OAuth2TokenValidator separately, for example by calling setJwtValidator. This issue affects Spring Security: from 6.3.0 through 6.3.14, from...

6.5CVSS5.1AI score0.00075EPSS

Exploits0References3Affected Software1

Github Security Blog•added 2026/04/22 6:30 a.m.•2 views

Spring Security Doesn't Correctly Include Servlet Path in Path Matching of XML Authorization Rules

7.5CVSS5.2AI score0.00055EPSS

Exploits0References3Affected Software1

Github Security Blog•added 2026/04/22 6:30 a.m.•3 views

Spring Security Doesn't Correctly Include Servlet Path in Path Matching of HttpSecurity#securityMatchers

7.5CVSS5.2AI score0.00063EPSS

Exploits0References3Affected Software1

vulnersOsv•added 2026/04/22 6:30 a.m.•6 views

cn.herodotus.engine:oauth2-authorization-server-autoconfigure (>=3.4.0.0 <=3.4.0.1), cn.herodotus.engine:oauth2-core (>=3.4.0.0 <=3.4.0.1) +110 more potentially affected by CVE-2026-22748 via org.springframework.security:spring-security-oauth2-jose (>=6.4.0 <=6.4.13)

org.springframework.security:spring-security-oauth2-jose MAVEN version =6.4.0, =3.4.0.0, =3.4.0.0, =3.4.0.0, =3.4.0.0, =3.4.0.0, =3.4.0.0, =3.4.0.0, =3.4.0.0, =3.4.0.0, =4.11.3, =4.11.3, =4.11.3, =4.11.3, =4.11.3, =4.11.3, =4.11.5 and more Source cves: CVE-2026-22748 Source advisory:...

6.5CVSS5.8AI score0.00075EPSS

vulnersOsv•added 2026/04/22 6:30 a.m.•5 views

ch.admin.bit.jeap:jeap-archrepo-instance (>=1.24.0 <=1.29.1), ch.admin.bit.jeap:jeap-archrepo-test (>=1.24.0 <=1.29.1) +274 more potentially affected by CVE-2026-22748 via org.springframework.security:spring-security-oauth2-jose (>=6.5.0 <=6.5.1)

org.springframework.security:spring-security-oauth2-jose MAVEN version =6.5.0, =1.24.0, =1.24.0, =1.24.0, =1.0.0, =2.8.0, =2.8.0, =3.10.0, =3.10.0, =8.15.0, =1.2.0, =17.39.0, =17.39.0, =17.39.0, =17.39.0, =17.39.0, =17.39.3 and more Source cves: CVE-2026-22748 Source advisory: OSV:GHSA-CVC6-Q...

6.5CVSS5.8AI score0.00075EPSS

vulnersOsv•added 2026/04/22 6:30 a.m.•4 views

be.appify.prefab:prefab-security (>=0.2.0 <=0.7.5), ch.admin.bit.jeap:jeap-audit-command-builder (>=7.0.0-alpha-springboot4 <=7.1.0-alpha-springboot4) +818 more potentially affected by CVE-2026-22753 via org.springframework.security:spring-security-config (>=7.0.0 <=7.0.4)

7.5CVSS5.8AI score0.00063EPSS

OSV•added 2026/04/22 6:30 a.m.•0 views

GHSA-CVC6-Q2CP-2XHW Spring Security has Potential Security Misconfiguration when Using withIssuerLocation

5.3CVSS5.8AI score0.00075EPSS

EUVD•added 2026/04/22 6:30 a.m.•1 views

EUVD-2026-24610

Vulnerability in Spring Spring Security. When an application configures JWT decoding with NimbusJwtDecoder or NimbusReactiveJwtDecoder, it must configure an OAuth2TokenValidator separately, for example by calling setJwtValidator.This issue affects Spring Security: from 6.3.0 through 6.3.14, from...

5.3CVSS5.7AI score0.00075EPSS

EUVD•added 2026/04/22 6:30 a.m.•0 views

EUVD-2026-24611

7.5CVSS5.8AI score0.00063EPSS

OSV•added 2026/04/22 6:30 a.m.•1 views

GHSA-VXF7-QJ7Q-83FH Spring Security Vulnerable to User Attribute Enumeration when Using DaoAuthenticationProvider

Vulnerability in Spring Spring Security. If an application is using the UserDetailsisEnabled, isAccountNonExpired, or isAccountNonLocked user attributes, to enable, expire, or lock users, then DaoAuthenticationProvider's timing attack defense can be bypassed for users who are disabled, expired, o...

3.7CVSS5.8AI score0.00067EPSS