15 matches found
EUVD-2026-35342
Spring MVC and WebFlux applications are vulnerable to Multipart request smuggling attacks. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48...
EUVD-2026-35330
Spring MVC and WebFlux applications are vulnerable to Denial of Service DoS attacks when resolving static resources. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48...
CVE-2026-41842
The CVE-2026-41842 entry affects Spring Framework in Spring MVC and WebFlux, reporting a Denial of Service (DoS) when resolving static resources. Affected versions are Spring Framework 7.0.0–7.0.7; 6.2.0–6.2.18; 6.1.0–6.1.27; 5.3.0–5.3.48. The description in both records states the DoS vulnerabil...
CVE-2026-22741
Spring MVC and WebFlux applications are vulnerable to cache poisoning when resolving static resources. More precisely, an application can be vulnerable when all the following are true: the application is using Spring MVC or Spring WebFlux the application is configuring the resource chain support...
CVE-2026-22737 Spring Framework Improper Path Limitation with Script View Templates
Use of Java scripting engine enabled e.g. JRuby, Jython template views in Spring MVC and Spring WebFlux applications can result in disclosure of content from files outside the configured locations for script template views. This issue affects Spring Framework: from 7.0.0 through 7.0.5, from 6.2.0...
UBUNTU-CVE-2024-38819
Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application...
spring-webmvc: Path Traversal Vulnerability in Spring Applications Using RouterFunctions and FileSystemResource
A flaw was found in Spring applications using the WebMvc.fn or WebFlux.fn frameworks. This issue can allow attackers to perform path traversal attacks via crafted HTTP requests when the application serves static resources using RouterFunctions and explicitly configures resource handling with a...
SUSE CVE-2018-15756
Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controlle...
This Week in Spring - July 26th, 2022
Aloha, Spring fans! Im on vacation, reporting to you from the paradise-like island of Maui, Hawaii, and hoping that youre having a wonderful day! My family and I love Hawaii. Its brimming with beauty and serenity, and while the island of Maui, in the state of Hawaii, is very small, the islands ar...
spring-framework: RCE via Data Binding on JDK 9+
A flaw was found in Spring Framework, specifically within two modules called Spring MVC and Spring WebFlux, transitively affected from Spring Beans, using parameter data binding. This flaw allows an attacker to pass specially-constructed malicious requests to certain parameters and possibly gain...
spring-framework: RCE via Data Binding on JDK 9+
A flaw was found in Spring Framework, specifically within two modules called Spring MVC and Spring WebFlux, transitively affected from Spring Beans, using parameter data binding. This flaw allows an attacker to pass specially-constructed malicious requests to certain parameters and possibly gain...
spring-framework: RCE via Data Binding on JDK 9+
A flaw was found in Spring Framework, specifically within two modules called Spring MVC and Spring WebFlux, transitively affected from Spring Beans, using parameter data binding. This flaw allows an attacker to pass specially-constructed malicious requests to certain parameters and possibly gain...
spring-web: (re)creating the temporary storage directory could result in a privilege escalation within WebFlux application
In Spring Framework, versions 5.2.x prior to 5.2.15 and versions 5.3.x prior to 5.3.7, a WebFlux application is vulnerable to a privilege escalation: by recreating the temporary storage directory, a locally authenticated malicious user can read or modify files that have been uploaded to the WebFl...
The vulnerabilities of the spring-webmvc and spring-webflux modules of the Spring Framework allow attackers to perform cross-site request forgery attacks.
The vulnerability of the spring-webmvc and spring-webflux modules of the Spring Framework is related to the lack of protection against Cross-Site Request Forgery CSRF attacks. Exploiting this vulnerability allows a malicious actor to perform CSRF attacks remotely...
springframework: DoS Attack via Range Requests
Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controlle...