threat
engine
.sh
Back
·
··:··
Home
/
Product
/
vmware spring framework
Product
vmware spring framework
53 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
Sort
Newest first
Oldest first
Highest CVSS
Lowest CVSS
Min CVSS
Any
4.0+
7.0+ (High)
9.0+ (Critical)
Published since
Reset
CVE-2026-22745
< 5.3.48
Spring MVC and WebFlux applications are vulnerable to Denial of Service attacks when resolving static resources. More precisely,
5.3
MEDIUM
CVE-2026-22741
< 5.3.48
Spring MVC and WebFlux applications are vulnerable to cache poisoning when resolving static resources. More precisely, an applic
3.1
LOW
CVE-2026-22740
< 5.3.48
A WebFlux server application that processes multipart requests creates temp files for parts larger than 10 K. Under some circumsta
6.5
MEDIUM
CVE-2026-22737
< 5.3.47
Use of Java scripting engine enabled (e.g. JRuby, Jython) template views in Spring MVC and Spring WebFlux applications can result
5.9
MEDIUM
CVE-2026-22735
< 5.3.47
Spring MVC and WebFlux applications are vulnerable to stream corruption when using Server-Sent Events (SSE). This issue affects S
2.6
LOW
CVE-2024-38820
>= 5.3.0 and < 5.3.41
The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has som
3.1
LOW
CVE-2024-38808
>= 5.3.0 and < 5.3.39
In Spring Framework versions 5.3.0 - 5.3.38 and older unsupported versions, it is possible for a user to provide a specially craft
4.3
MEDIUM
CVE-2024-22259
< 5.3.33
Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL (e.g. through a query paramete
8.1
HIGH
CVE-2024-22233
all versions
In Spring Framework versions 6.0.15 and 6.1.2, it is possible for a user to provide specially crafted HTTP requests that may cause
7.5
HIGH
CVE-2023-34053
>= 6.0.0 and < 6.0.14
In Spring Framework versions 6.0.0 - 6.0.13, it is possible for a user to provide specially crafted HTTP requests that may cause a
5.3
MEDIUM
CVE-2023-20863
>= 5.2.0 and < 5.2.24
In spring framework versions prior to 5.2.24 release+ ,5.3.27+ and 6.0.8+ , it is possible for a user to provide a specially craft
6.5
MEDIUM
CVE-2023-20860
>= 5.3.0 and < 5.3.26
Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25 using "" as a pattern in Spring Security configuration with the
7.5
HIGH
CVE-2023-20861
<= 5.2.22
In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is
6.5
MEDIUM
CVE-2022-22971
>= 5.2.0 and <= 5.2.21
In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, application with a STOMP over WebSocket endp
6.5
MEDIUM
CVE-2022-22970
<= 5.2.21
In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vu
5.3
MEDIUM
CVE-2022-22968
< 5.2.0
In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on
5.3
MEDIUM
CVE-2022-22965
< 5.2.20
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. Th
9.8
CRITICAL
CVE-2022-22950
< 5.2.20
n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafte
6.5
MEDIUM
CVE-2021-22060
>= 5.2.0 and <= 5.2.18
In Spring Framework versions 5.3.0 - 5.3.13, 5.2.0 - 5.2.18, and older unsupported versions, it is possible for a user to provide
4.3
MEDIUM
CVE-2021-22096
>= 5.2.0 and <= 5.2.17
In Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and older unsupported versions, it is possible for a user to provide
4.3
MEDIUM
CVE-2021-22118
>= 5.2.0 and < 5.2.15
In Spring Framework, versions 5.2.x prior to 5.2.15 and versions 5.3.x prior to 5.3.7, a WebFlux application is vulnerable to a pr
7.8
HIGH
CVE-2020-5421
< 4.3.29
In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the pr
6.5
MEDIUM
CVE-2020-5397
>= 5.2.0 and < 5.2.3
Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CSRF attacks through CORS preflight requests that target Spring
5.3
MEDIUM
CVE-2020-5398
>= 5.0.0 and < 5.0.16
In Spring Framework, versions 5.2.x prior to 5.2.3, versions 5.1.x prior to 5.1.13, and versions 5.0.x prior to 5.0.16, an applica
7.5
HIGH
CVE-2013-6430
>= 3.0.0 and < 3.2.2
The JavaScriptUtils.javaScriptEscape method in web/util/JavaScriptUtils.java in Spring MVC in Spring Framework before 3.2.2 does n
5.4
MEDIUM
CVE-2016-1000027
< 6.0.0
Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserializatio
9.8
CRITICAL
CVE-2018-15801
>= 5.1.0 and < 5.1.2
Spring Security versions 5.1.x prior to 5.1.2 contain an authorization bypass vulnerability during JWT issuer validation. In order
7.4
HIGH
CVE-2018-15756
>= 4.2.0 and < 4.3.20
Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on t
7.5
HIGH
CVE-2018-11040
< 4.3.18
Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications
7.5
HIGH
CVE-2018-11039
< 4.3.18
Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applica
5.9
MEDIUM
CVE-2018-1258
all versions
Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when
8.8
HIGH
CVE-2018-1257
< 4.3.17
Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows application
6.5
MEDIUM
CVE-2018-1275
>= 4.3.0 and < 4.3.16
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.16 and older unsupported versions, allow applications
9.8
CRITICAL
CVE-2018-1272
>= 4.3.0 and < 4.3.15
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side
7.5
HIGH
CVE-2018-1271
>= 4.3.0 and < 4.3.15
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications
5.9
MEDIUM
CVE-2018-1270
< 4.3.16
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications
9.8
CRITICAL
CVE-2018-1199
>= 4.3.0 and < 4.3.14
Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before
5.3
MEDIUM
CVE-2016-5007
all versions
Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for auth
7.5
HIGH
CVE-2015-5211
all versions
Under some situations, the Spring Framework 4.2.0 to 4.2.1, 4.0.0 to 4.1.7, 3.2.0 to 3.2.14 and older unsupported versions is vuln
9.6
CRITICAL
CVE-2014-0225
all versions
When processing user provided XML documents, the Spring Framework 4.0.0 to 4.0.4, 3.0.0 to 3.2.8, and possibly earlier unsupported
8.8
HIGH
CVE-2016-9878
all versions
An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to t
7.5
HIGH
CVE-2015-3192
all versions
Pivotal Spring Framework before 3.2.14 and 4.x before 4.1.7 do not properly process inline DTD declarations when DTD is not entire
5.5
MEDIUM
CVE-2015-0201
all versions
The Java SockJS client in Pivotal Spring Framework 4.1.x before 4.1.5 generates predictable session ids, which allows remote attac
CVE-2014-3578
>= 3.2.0 and < 3.2.9
Directory traversal vulnerability in Pivotal Spring Framework 3.x before 3.2.9 and 4.0 before 4.0.5 allows remote attackers to rea
CVE-2014-3625
>= 3.0.4 and <= 3.0.7
Directory traversal vulnerability in Pivotal Spring Framework 3.0.4 through 3.2.x before 3.2.12, 4.0.x before 4.0.8, and 4.1.x bef
CVE-2014-0054
<= 3.2.7
The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable ex
CVE-2014-1904
>= 3.0.0 and < 3.2.8
Cross-site scripting (XSS) vulnerability in web/servlet/tags/form/FormTag.java in Spring MVC in Spring Framework 3.0.0 before 3.2.
CVE-2013-6429
all versions
The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable exte
CVE-2013-7315
<= 3.2.3
The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the
CVE-2013-4152
<= 3.2.3
The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity reso
CVE-2011-2730
<= 2.5.7_sr01
VMware SpringSource Spring Framework before 2.5.6.SEC03, 2.5.7.SR023, and 3.x before 3.0.6, when a container supports Expression L
CVE-2011-2894
>= 3.0.0 and <= 3.0.5
Spring Framework 3.0.0 through 3.0.5, Spring Security 3.0.0 through 3.0.5 and 2.0.0 through 2.0.6, and possibly other versions des
CVE-2010-1622
all versions
SpringSource Spring Framework 2.5.x before 2.5.6.SEC02, 2.5.7 before 2.5.7.SR01, and 3.0.x before 3.0.3 allows remote attackers to
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin