Lucene search
+L
VmwareSpring Framework6.2.0

21 matches found

CVE
CVE
added 2026/06/09 3:50 a.m.239 views

CVE-2026-41842

The CVE-2026-41842 entry affects Spring Framework in Spring MVC and WebFlux, reporting a Denial of Service (DoS) when resolving static resources. Affected versions are Spring Framework 7.0.0–7.0.7; 6.2.0–6.2.18; 6.1.0–6.1.27; 5.3.0–5.3.48. The description in both records states the DoS vulnerabil...

7.5CVSS5.5AI score0.00399EPSS
CVE
CVE
added 2026/06/09 3:51 a.m.236 views

CVE-2026-41850

Spring Framework vulnerability CVE-2026-41850 affects the evaluation of user-supplied Spring Expression Language (SpEL) expressions. The issue is an Algorithmic Denial of Service (DoS) caused by crafted expressions triggering excessive resource consumption during evaluation, degrading or taking d...

7.5CVSS5.5AI score0.0036EPSS
CVE
CVE
added 2026/06/09 3:51 a.m.233 views

CVE-2026-41855

CVE-2026-41855 affects Spring Framework components MappingJackson2MessageConverter and JacksonJsonMessageConverter in untrusted JMS environments, enabling arbitrary class instantiation and gadget deserialization that could lead to unauthorized actions. Affected versions include Spring Framework 7...

9.8CVSS5.6AI score0.00268EPSS
CVE
CVE
added 2026/04/29 11:32 a.m.186 views

CVE-2026-22741

CVE-2026-22741 – cache poisoning in static resources (Spring MVC/WebFlux) . When an app uses Spring MVC/WebFlux with resource chain caching enabled and encoded resource resolution, and the resource cache is empty, an attacker can poison the cache by sending crafted requests with incorrect encodin...

3.1CVSS5.3AI score0.00236EPSS
CVE
CVE
added 2026/04/29 10:46 a.m.184 views

CVE-2026-22740

The CVE-2026-22740 issue affects Spring Framework WebFlux multipart request handling. The root cause is cleanup of temporary files created for parts larger than 10 KB, which in some cases are not deleted after the request completes, enabling an attacker to exhaust disk space (Denial of Service). ...

6.5CVSS5.2AI score0.00344EPSS
CVE
CVE
added 2026/06/09 3:51 a.m.153 views

CVE-2026-41848

CVE-2026-41848 affects Spring Framework via a ReDoS vulnerability in AntPathMatcher. Affected versions are 7.0.0–7.0.7, 6.2.0–6.2.18, 6.1.0–6.1.27, and 5.3.0–5.3.48. The issue arises when a crafted pattern is supplied to AntPathMatcher methods (match, matchStart, extractUriTemplateVariables). The...

7.5CVSS5.4AI score0.00317EPSS
CVE
CVE
added 2026/06/09 3:51 a.m.143 views

CVE-2026-41851

CVE-2026-41851 describes a Denial of Service risk in Spring Framework where evaluating user-provided SpEL expressions can trigger unbounded cache growth. Affected versions include Spring Framework 7.0.0–7.0.7, 6.2.0–6.2.18, 6.1.0–6.1.27, and 5.3.0–5.3.48. The DoS arises from how SpEL expressions ...

7.5CVSS5.4AI score0.0036EPSS
CVE
CVE
added 2026/06/09 3:49 a.m.138 views

CVE-2026-41838

Spring Framework's WebSocket session IDs in the spring-websocket module are not cryptographically unpredictable, enabling potential session hijacking in environments with weak authorization. Affected: Spring Framework 7.0.0–7.0.7; 6.2.0–6.2.18; 6.1.0–6.1.27; 5.3.0–5.3.48. Risk summary: predictabl...

7.5CVSS5.5AI score0.00171EPSS
CVE
CVE
added 2026/06/09 3:51 a.m.118 views

CVE-2026-41853

CVE-2026-41853 concerns Multipart request smuggling in Spring Framework’s Spring MVC and WebFlux components. Affected are Spring Framework versions: 7.0.0–7.0.7; 6.2.0–6.2.18; 6.1.0–6.1.27; 5.3.0–5.3.48. The CVE entry identifies the issue as a vulnerability in multipart handling, with an accompan...

5.3CVSS5.5AI score0.00186EPSS
CVE
CVE
added 2026/03/19 11:53 p.m.103 views

CVE-2026-22737

CVE-2026-22737 affects Spring Framework components that render script template views via a Java scripting engine (e.g., JRuby, Jython) in Spring MVC and Spring WebFlux. The issue allows disclosure of content from files outside configured script template view locations due to the scripting engine ...

5.9CVSS5.7AI score0.00385EPSS
CVE
CVE
added 2026/06/09 3:50 a.m.90 views

CVE-2026-41840

Spring WebFlux applications are vulnerable to Denial of Service when processing multipart requests. Affected: Spring Framework 7.0.0–7.0.7; 6.2.0–6.2.18; 6.1.0–6.1.27; 5.3.0–5.3.48. CVSSv3.1: AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H (base score 5.9, MEDIUM). Exploitation details are not provided in th...

5.9CVSS5.8AI score0.00247EPSS
CVE
CVE
added 2026/03/19 11:37 p.m.78 views

CVE-2026-22735

CVE-2026-22735 affects Spring MVC and Spring WebFlux applications via Server-Sent Events (SSE) stream handling. Concrete details in the connected documents show impact on Spring Framework components: Spring Foundation versions 5.3.0–5.3.46, 6.1.0–6.1.25, 6.2.0–6.2.16, and 7.0.0–7.0.5 experience s...

2.6CVSS5.8AI score0.00112EPSS
CVE
CVE
added 2026/06/09 3:50 a.m.71 views

CVE-2026-41845

The CVE-2026-41845 entry affects Spring Framework versions 7.0.0–7.0.7, 6.2.0–6.2.18, 6.1.0–6.1.27, and 5.3.0–5.3.48. The issue stems from incorrect escaping in JavaScriptUtils.javaScriptEscape(), which may allow JavaScript code injection in the browser and enable cross-site scripting (XSS). The ...

7.1CVSS5.3AI score0.00161EPSS
CVE
CVE
added 2026/06/09 3:49 a.m.70 views

CVE-2026-41839

The CVE-2026-41839 affects Spring Framework WebFlux. A WebFlux application with a compromised subdomain (e.g., via XSS) is vulnerable to an escalation attack that exchanges a known session ID for that of an authenticated user. Affected versions are: Spring Framework 7.0.0–7.0.7; 6.2.0–6.2.18; 6.1...

4.2CVSS5.2AI score0.00197EPSS
CVE
CVE
added 2026/06/09 3:51 a.m.66 views

CVE-2026-41854

The CVE affects Spring Framework 7.0.0–7.0.7 and 6.2.0–6.2.18, where incorrect host parsing in UriComponentsBuilder may allow a server-side request forgery (SSRF) when parsing an externally provided URL string. The vulnerability is described as an SSRF condition resulting from this parsing flaw. ...

6.5CVSS5.5AI score0.00123EPSS
CVE
CVE
added 2026/06/09 3:50 a.m.65 views

CVE-2026-41843

CVE-2026-41843 affects Spring Framework, specifically Spring MVC and WebFlux, where path traversal can occur when resolving static resources. Affected versions include 7.0.0–7.0.7, 6.2.0–6.2.18, 6.1.0–6.1.27, and 5.3.0–5.3.48. The connected documents confirm the vulnerability class as path traver...

5.9CVSS5.5AI score0.00341EPSS
CVE
CVE
added 2026/06/09 3:50 a.m.59 views

CVE-2026-41844

The CVE-2026-41844 entry concerns Spring Framework components Spring MVC and Spring WebFlux. Affected are Spring Framework versions 7.0.0–7.0.7; 6.2.0–6.2.18; 6.1.0–6.1.27; and 5.3.0–5.3.48. Description: when an application configures a mapping for "/**" and the view name is not explicitly specif...

6.1CVSS5.6AI score0.00134EPSS
CVE
CVE
added 2026/04/29 11:35 a.m.53 views

CVE-2026-22745

The vulnerability is in the Spring Framework’s static resource resolution when serving file-system backed resources in Spring MVC/WebFlux apps on Windows. Affected component: org.springframework:spring-core. Under the conditions that the app uses Spring MVC or Spring WebFlux, serves static resour...

5.3CVSS5.4AI score0.00341EPSS
CVE
CVE
added 2026/06/09 3:51 a.m.52 views

CVE-2026-41852

The CVE affects Spring Framework via SpEL evaluation allowing arbitrary zero-argument method invocation in restricted/read-only contexts across multiple versions (7.0.0–7.0.7; 6.2.0–6.2.18; 6.1.0–6.1.27; 5.3.0–5.3.48). Root cause is the SpEL evaluation logic, enabling invocation of unintended app...

5.3CVSS5.6AI score0.00164EPSS
CVE
CVE
added 2026/06/09 3:50 a.m.49 views

CVE-2026-41846

The CVE concerns Spring Framework: JSP form tag attributes cssClass, cssErrorClass, and cssStyle in Spring MVC applications can be exploited to inject arbitrary HTML/JavaScript, enabling cross-site scripting (XSS). Affected versions are Spring Framework 7.0.0–7.0.7; 6.2.0–6.2.18; 6.1.0–6.1.27; 5....

6.1CVSS5.4AI score0.0014EPSS
CVE
CVE
added 2026/06/09 3:50 a.m.47 views

CVE-2026-41841

CVE-2026-41841 affects Spring Framework versions 5.3.0–5.3.48; 6.1.0–6.1.27; 6.2.0–6.2.18; 7.0.0–7.0.7. It describes Information Disclosure via the static resource cache in Spring MVC and WebFlux when resolving static resources. The root cause and exact exploit path are not detailed in the provid...

5.9CVSS5.5AI score0.00313EPSS