ROOT-APP-MAVEN-CVE-2026-22745 CVE-2026-22745 in io.root.org.springframework:spring-webmvc - Patched by Root

Root has patched CVE-2026-22745 in the io.root.org.springframework:spring-webmvc package for Root:Maven. Multiple fixed versions available...

Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

Overview org.springframework.data:spring-data-rest-webmvc is a maven plugin for Spring Data REST - WebMVC. Affected versions of this package are vulnerable to Improper Neutralization of Special Elements used in an Expression Language Statement 'Expression Language Injection' in the processing of...

ai.ancf.lmos-router:lmos-router-llm-in-spring-cloud-gateway-demo (=0.28.0), ai.ancf.lmos:lmos-operator (>=0.0.4 <=0.4.0) +4607 more potentially affected by CVE-2026-22745 via org.springframework:spring-webmvc (>=6.1.0 <=6.1.21)

org.springframework:spring-webmvc MAVEN version =6.1.0, =0.0.4, =0.5.0, =0.6.0, =0.5.0, =0.7.0, =0.7.0, =0.5.0, =0.7.5, =0.8.3, =0.7.0, =0.5.0, =0.5.0, =0.5.0, =cloud-0.1, =cloud-0.2.1 and more Source cves: CVE-2026-22745 Source advisory: OSV:GHSA-6P4F-WCWH-5VVM...

ai.platon.pulsar:pulsar-e2e-tests (>=4.5.0 <=4.6.0), ai.platon.pulsar:pulsar-it-tests (>=4.5.0 <=4.7.4) +1846 more potentially affected by CVE-2026-22741 via org.springframework:spring-webmvc (>=7.0.0-M1 <=7.0.6)

org.springframework:spring-webmvc MAVEN version =7.0.0-M1, =4.5.0, =4.5.0, =4.5.0, =4.5.0, =4.5.0, =2.0.0, =2.0.0, =0.1.1, =0.2.0, =0.5.0, =0.7.0, =0.5.0, =0.5.0, =0.7.5 and more Source cves: CVE-2026-22741 Source advisory: SNYK:JAVA-ORGSPRINGFRAMEWORK-16109603...

ai.ancf.lmos-router:lmos-router-llm-in-spring-cloud-gateway-demo (>=0.2.0 <=0.28.0), ai.ancf.lmos:lmos-operator (>=0.0.4 <=0.6.0) +10169 more potentially affected by CVE-2026-22741 via org.springframework:spring-webmvc (>=6.0.0 <=6.2.17)

org.springframework:spring-webmvc MAVEN version =6.0.0, =0.2.0, =0.0.4, =0.5.0, =0.6.0, =0.5.0, =0.7.0, =0.7.0, =0.5.0, =0.7.5, =0.8.3, =0.7.0, =0.5.0, =0.5.0, =0.8.7 and more Source cves: CVE-2026-22741 Source advisory: SNYK:JAVA-ORGSPRINGFRAMEWORK-16109603...

ai.ancf.lmos-router:lmos-router-llm-in-spring-cloud-gateway-demo (=0.28.0), ai.ancf.lmos:lmos-operator (>=0.0.4 <=0.4.0) +6444 more potentially affected by CVE-2026-22735 via org.springframework:spring-webmvc (>=6.0.0 <=6.1.21)

org.springframework:spring-webmvc MAVEN version =6.0.0, =0.0.4, =0.5.0, =0.6.0, =0.5.0, =0.7.0, =0.7.0, =0.5.0, =0.7.5, =0.8.3, =0.7.0, =0.5.0, =0.5.0, =0.5.0, =cloud-0.1, =cloud-0.2.1 and more Source cves: CVE-2026-22735 Source advisory: OSV:GHSA-6HCQ-HMM3-JJ3C...

CVE-2026-22737 Spring Framework Improper Path Limitation with Script View Templates

Use of Java scripting engine enabled e.g. JRuby, Jython template views in Spring MVC and Spring WebFlux applications can result in disclosure of content from files outside the configured locations for script template views. This issue affects Spring Framework: from 7.0.0 through 7.0.5, from 6.2.0...

Path Traversal

org.springframework, spring-webmvc is vulnerable to Path Traversal Vulnerability. The vulnerability is due to improper URI path canonicalization in non-compliant Servlet containers when serving static resources, which allows an attacker to bypass security restrictions and access unauthorized file...

UBUNTU-CVE-2024-38819

Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application...

spring-webmvc: Path Traversal Vulnerability in Spring Applications Using RouterFunctions and FileSystemResource

A flaw was found in Spring applications using the WebMvc.fn or WebFlux.fn frameworks. This issue can allow attackers to perform path traversal attacks via crafted HTTP requests when the application serves static resources using RouterFunctions and explicitly configures resource handling with a...

The vulnerability of the functional web framework WebFlux.fn within the Spring Framework allows attackers to compromise the confidentiality, integrity, and accessibility of protected information.

The vulnerability of the functional web frameworks WebMvc.fn and WebFlux.fn in the Spring Framework is due to deficiencies in the authentication process. Exploiting this vulnerability allows an attacker to compromise the confidentiality, integrity, and accessibility of the protected information...

Path Traversal

org.springframework:spring-webmvc and org.springframework:spring-webflux are vulnerable to Path Traversal. The vulnerability is due to inadequate validation of file paths in HTTP requests, allowing access to files on the file system when using RouterFunctions with a FileSystemResource location...

The vulnerability in the System.Web.Mvc.dll library of the ASP.NET Model View Controller (MVC) framework allows attackers to bypass security restrictions and perform cross-site scripting attacks.

The vulnerability of the System.Web.Mvc.dll library, which is used by ASP.NET MVC for creating web applications, relates to the lack of security measures taken to protect the web page structure. Exploiting this vulnerability allows an attacker to bypass security restrictions and perform cross-sit...

CVE-2022-43712

POST requests to /web/mvc in GX Software XperienCentral version 10.36.0 and earlier were not blocked for uses that are not logged in. If an unauthorized user is able to bypass other security filters they are able to post unauthorized data to the server because of CVE-2022-22965...

CVE-2022-43712

POST requests to /web/mvc in GX Software XperienCentral version 10.36.0 and earlier were not blocked for uses that are not logged in. If an unauthorized user is able to bypass other security filters they are able to post unauthorized data to the server because of CVE-2022-22965...

SUSE CVE-2018-15756

Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controlle...

at.molindo.social:spring-social-config (=1.1.0.RELEASE), at.molindo.social:spring-social-security (=1.1.0.RELEASE) +412 more potentially affected by CVE-2014-3625 via org.springframework:spring-webmvc (>=4.0.0.RELEASE <=4.0.7.RELEASE)

org.springframework:spring-webmvc MAVEN version =4.0.0.RELEASE, =0.4, =1.4.0, =0.0.2, =0.10.1, =0.10.1, =1.0.15-RELEASE, =1.0.16-RELEASE and more Source cves: CVE-2014-3625 Source advisory: OSV:GHSA-HHM4-HWQ6-3C6W...

GHSA-36P3-WJMG-H94X Remote Code Execution in Spring Framework

Spring Framework prior to versions 5.2.20 and 5.3.18 contains a remote code execution vulnerability known as Spring4Shell. Impact A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution RCE via data binding. The specific exploit requires the...

The vulnerabilities of the spring-webmvc and spring-webflux modules of the Spring Framework allow attackers to perform cross-site request forgery attacks.

The vulnerability of the spring-webmvc and spring-webflux modules of the Spring Framework is related to the lack of protection against Cross-Site Request Forgery CSRF attacks. Exploiting this vulnerability allows a malicious actor to perform CSRF attacks remotely...

springframework: DoS Attack via Range Requests

Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controlle...