CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

CVE•added 2026/04/22 5:20 a.m.•11 views

CVE-2026-22753

Spring Security CVE-2026-22753 affects versions 7.0.0 to 7.0.4 where using securityMatchers(String) together with a PathPatternRequestMatcher.Builder bean to prepend a servlet path can cause requests to fail matching against the filter chain, potentially rendering authentication, authorization, a...

7.5CVSS5.8AI score0.00063EPSS

ATTACKERKB•added 2026/04/22 5:20 a.m.•3 views

CVE-2026-22753

Vulnerability in Spring Spring Security. If an application is using securityMatchersString and a PathPatternRequestMatcher.Builder bean to prepend a servlet path, matching requests to that filter chain may fail and its related security components will not be exercised as intended by the...

7.5CVSS5.8AI score0.00063EPSS

Cvelist•added 2026/04/22 5:20 a.m.•27 views

CVE-2026-22753 Servlet Path Not Correctly Included in Path Matching of HttpSecurity#securityMatchers

7.5CVSS0.00063EPSS

Vulnrichment•added 2026/04/22 5:20 a.m.•1 views

CVE-2026-22753 Servlet Path Not Correctly Included in Path Matching of HttpSecurity#securityMatchers

7.5CVSS5.8AI score0.00063EPSS

Vulnrichment•added 2026/04/22 5:15 a.m.•1 views

CVE-2026-22748 Potential Security Misconfiguration when Using withIssuerLocation

Vulnerability in Spring Spring Security. When an application configures JWT decoding with NimbusJwtDecoder or NimbusReactiveJwtDecoder, it must configure an OAuth2TokenValidator separately, for example by calling setJwtValidator.This issue affects Spring Security: from 6.3.0 through 6.3.14, from...

5.3CVSS5.7AI score0.00075EPSS

ATTACKERKB•added 2026/04/22 5:15 a.m.•2 views

CVE-2026-22748

5.3CVSS5.8AI score0.00075EPSS

CVE•added 2026/04/22 5:15 a.m.•7 views

CVE-2026-22748

CVE-2026-22748 affects Spring Security when JWT decoding uses NimbusJwtDecoder or NimbusReactiveJwtDecoder and an OAuth2TokenValidator is not configured separately (e.g., via setJwtValidator). Impact is that the issue can affect authentication integrity (I) with MEDIUM overall severity (CVSS v3.1...

6.5CVSS5.7AI score0.00075EPSS

Cvelist•added 2026/04/22 5:15 a.m.•24 views

CVE-2026-22748 Potential Security Misconfiguration when Using withIssuerLocation

5.3CVSS0.00075EPSS

Vulnrichment•added 2026/04/22 5:8 a.m.•1 views

CVE-2026-22747 Unauthorized User Impersonation when Using X.509 Client Certificates

Vulnerability in Spring Spring Security. SubjectX500PrincipalExtractor does not correctly handle certain malformed X.509 certificate CN values, which can lead to reading the wrong value for the username. In a carefully crafted certificate, this can lead to an attacker impersonating another user...

6.8CVSS5.8AI score0.00031EPSS

Cvelist•added 2026/04/22 5:8 a.m.•25 views

CVE-2026-22747 Unauthorized User Impersonation when Using X.509 Client Certificates

6.8CVSS0.00031EPSS

ATTACKERKB•added 2026/04/22 5:8 a.m.•1 views

CVE-2026-22747

6.8CVSS5.8AI score0.00031EPSS

CVE•added 2026/04/22 5:8 a.m.•14 views

CVE-2026-22747

Summary : CVE-2026-22747 affects Spring Security 7.0.0–7.0.4. The issue is in SubjectX500PrincipalExtractor’s handling of certain malformed X.509 certificate CN values, which can cause the system to read the wrong username value and potentially allow attacker impersonation of another user. The co...

8.1CVSS5.8AI score0.00031EPSS

Cvelist•added 2026/04/22 5:2 a.m.•25 views

CVE-2026-22746 User Attribute Enumeration when Using DaoAuthenticationProvider

Vulnerability in Spring Spring Security. If an application is using the UserDetailsisEnabled, isAccountNonExpired, or isAccountNonLocked user attributes, to enable, expire, or lock users, then DaoAuthenticationProvider's timing attack defense can be bypassed for users who are disabled, expired, o...

3.7CVSS0.00067EPSS

CVE•added 2026/04/22 5:2 a.m.•6 views

CVE-2026-22746

The CVE concerns Spring Security vulnerability CVE-2026-22746 where the timing-attack defense in DaoAuthenticationProvider can be bypassed when an application uses the UserDetails attributes isEnabled, isAccountNonExpired, or isAccountNonLocked to manage user status. Affected versions include Spr...

3.7CVSS5.7AI score0.00067EPSS

ATTACKERKB•added 2026/04/22 5:2 a.m.•1 views

CVE-2026-22746

3.7CVSS5.7AI score0.00067EPSS

OSV•added 2026/04/22 12:39 a.m.•0 views

CLEANSTART-2026-KB76878 When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written

Multiple security vulnerabilities affect the apache-nifi package. When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written. See references for individual vulnerability details...

9.8CVSS7.2AI score0.00038EPSS

Exploits3References17

Positive Technologies•added 2026/04/22 12:0 a.m.•1 views

PT-2026-34252

Name of the Vulnerable Software and Affected Versions Spring Spring Security versions 6.3.0 through 6.3.14 Spring Spring Security versions 6.4.0 through 6.4.14 Spring Spring Security versions 6.5.0 through 6.5.9 Spring Spring Security versions 7.0.0 through 7.0.4 Description An issue exists when ...

6.5CVSS5.8AI score0.00075EPSS

Exploits0References6

CNNVD•added 2026/04/22 12:0 a.m.•7 views

Spring Security 输入验证错误漏洞

Spring Security is a security framework developed by Spring OpenSource that includes authentication and authorization features. Vulnerabilities in input validation exist in versions 6.3.0 to 6.3.14, 6.4.0 to 6.4.14, 6.5.0 to 6.5.9, and 7.0.0 to 7.0.4 of Spring Security. These vulnerabilities stem...

6.5CVSS5.8AI score0.00075EPSS

CNNVD•added 2026/04/22 12:0 a.m.•6 views

Spring Security 安全漏洞

Spring Security is a security framework developed by Spring OpenSource that includes authentication and authorization features. Versions of Spring Security 7.0.4 and earlier contained security vulnerabilities. These vulnerabilities stemmed from the improper handling of certain malformed X.509...

8.1CVSS5.8AI score0.00031EPSS