Vulnerable Library - spring-security-web-6.2.4.jar
Spring Security
Library home page: https://spring.io/projects/spring-security
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/6.2.4/spring-security-web-6.2.4.jar
Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2026-22732
Vulnerable Library - spring-security-web-6.2.4.jar
Spring Security
Library home page: https://spring.io/projects/spring-security
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/6.2.4/spring-security-web-6.2.4.jar
Dependency Hierarchy:
- ❌ spring-security-web-6.2.4.jar (Vulnerable Library)
Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262
Found in base branch: master
Vulnerability Details
When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written.
This issue affects Spring Security Servlet applications using lazy (default) writing of HTTP Headers:
: from 5.7.0 through 5.7.21, from 5.8.0 through 5.8.23, from 6.3.0 through 6.3.14, from 6.4.0 through 6.4.14, from 6.5.0 through 6.5.8, from 7.0.0 through 7.0.3.
Publish Date: 2026-03-19
URL: CVE-2026-22732
CVSS 3 Score Details (9.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-03-19
Fix Resolution: https://github.com/spring-projects/spring-security.git - 7.0.4,https://github.com/spring-projects/spring-security.git - 6.5.9
Step up your Open Source Security Game with Mend here
CVE-2024-38821
Vulnerable Library - spring-security-web-6.2.4.jar
Spring Security
Library home page: https://spring.io/projects/spring-security
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/6.2.4/spring-security-web-6.2.4.jar
Dependency Hierarchy:
- ❌ spring-security-web-6.2.4.jar (Vulnerable Library)
Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262
Found in base branch: master
Vulnerability Details
Spring WebFlux applications that have Spring Security authorization rules on static resources can be bypassed under certain circumstances.
For this to impact an application, all of the following must be true: It must be a WebFlux application, It must be using Spring's static resources support, and it must have a non-permitAll authorization rule applied to the static resources support.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2024-10-28
URL: CVE-2024-38821
CVSS 3 Score Details (9.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-c4q5-6c82-3qpw
Release Date: 2024-10-28
Fix Resolution: org.springframework.security:spring-security-web:6.3.4,org.springframework.security:spring-security-web:5.8.15,org.springframework.security:spring-security-web:6.2.7,https://github.com/spring-projects/spring-security.git - 5.7.13,https://github.com/spring-projects/spring-security.git - 5.8.15,https://github.com/spring-projects/spring-security.git - 6.2.7,org.springframework.security:spring-security-web:5.7.13,https://github.com/spring-projects/spring-security.git - 6.3.4
Step up your Open Source Security Game with Mend here
CVE-2026-41845
Vulnerable Library - spring-web-6.1.6.jar
Spring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/6.1.6/spring-web-6.1.6.jar
Dependency Hierarchy:
- spring-security-web-6.2.4.jar (Root Library)
- ❌ spring-web-6.1.6.jar (Vulnerable Library)
Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262
Found in base branch: master
Vulnerability Details
Due to incorrect escaping, the use of JavaScriptUtils.javaScriptEscape() may lead to JavaScript code injection in the browser, potentially resulting in a cross-site scripting (XSS) vulnerability.
Affected versions:
Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
Publish Date: 2026-06-09
URL: CVE-2026-41845
CVSS 3 Score Details (7.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2026-41845
Release Date: 2026-06-09
Fix Resolution: org.springframework:spring-web:6.2.19,https://github.com/spring-projects/spring-framework.git - v6.2.19,org.springframework:spring-web:7.0.8,https://github.com/spring-projects/spring-framework.git - v7.0.8
Step up your Open Source Security Game with Mend here
CVE-2026-22740
Vulnerable Library - spring-web-6.1.6.jar
Spring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/6.1.6/spring-web-6.1.6.jar
Dependency Hierarchy:
- spring-security-web-6.2.4.jar (Root Library)
- ❌ spring-web-6.1.6.jar (Vulnerable Library)
Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262
Found in base branch: master
Vulnerability Details
A WebFlux server application that processes multipart requests creates temp files for parts larger than 10 K. Under some circumstances, temp files may remain not deleted after the request is fully processed. This allows an attacker to consume available disk space.
Older, unsupported versions are also affected.
Publish Date: 2026-04-29
URL: CVE-2026-22740
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2026-22740
Release Date: 2026-04-18
Fix Resolution: org.springframework:spring-web:6.2.18,https://github.com/spring-projects/spring-framework.git - v7.0.7,org.springframework:spring-web:7.0.7,https://github.com/spring-projects/spring-framework.git - v6.2.18
Step up your Open Source Security Game with Mend here
CVE-2025-41234
Vulnerable Library - spring-web-6.1.6.jar
Spring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/6.1.6/spring-web-6.1.6.jar
Dependency Hierarchy:
- spring-security-web-6.2.4.jar (Root Library)
- ❌ spring-web-6.1.6.jar (Vulnerable Library)
Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262
Found in base branch: master
Vulnerability Details
In Spring Framework, versions 6.0.x as of 6.0.5, versions 6.1.x and 6.2.x, an application is vulnerable to a reflected file download (RFD) attack when it sets a “Content-Disposition” header with a non-ASCII charset, where the filename attribute is derived from user-supplied input.
Publish Date: 2025-06-12
URL: CVE-2025-41234
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2025-41234
Release Date: 2025-06-11
Fix Resolution (org.springframework:spring-web): 6.1.21
Direct dependency fix Resolution (org.springframework.security:spring-security-web): 6.4.0
Step up your Open Source Security Game with Mend here
CVE-2026-41840
Vulnerable Library - spring-web-6.1.6.jar
Spring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/6.1.6/spring-web-6.1.6.jar
Dependency Hierarchy:
- spring-security-web-6.2.4.jar (Root Library)
- ❌ spring-web-6.1.6.jar (Vulnerable Library)
Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262
Found in base branch: master
Vulnerability Details
Spring WebFlux applications are vulnerable to Denial of Service (DoS) attacks when processing multipart requests.
Affected versions:
Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
Publish Date: 2026-06-09
URL: CVE-2026-41840
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2026-41840
Release Date: 2026-06-09
Fix Resolution: org.springframework:spring-web:6.2.19,https://github.com/spring-projects/spring-framework.git - v7.0.8,https://github.com/spring-projects/spring-framework.git - v6.2.19,org.springframework:spring-web:7.0.8
Step up your Open Source Security Game with Mend here
CVE-2026-41853
Vulnerable Library - spring-web-6.1.6.jar
Spring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/6.1.6/spring-web-6.1.6.jar
Dependency Hierarchy:
- spring-security-web-6.2.4.jar (Root Library)
- ❌ spring-web-6.1.6.jar (Vulnerable Library)
Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262
Found in base branch: master
Vulnerability Details
Spring MVC and WebFlux applications are vulnerable to Multipart request smuggling attacks.
Affected versions:
Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
Publish Date: 2026-06-09
URL: CVE-2026-41853
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2026-41853
Release Date: 2026-06-09
Fix Resolution: org.springframework:spring-web:6.2.19,https://github.com/spring-projects/spring-framework.git - v6.2.19,https://github.com/spring-projects/spring-framework.git - v7.0.8,org.springframework:spring-web:7.0.8
Step up your Open Source Security Game with Mend here
CVE-2024-38809
Vulnerable Library - spring-web-6.1.6.jar
Spring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/6.1.6/spring-web-6.1.6.jar
Dependency Hierarchy:
- spring-security-web-6.2.4.jar (Root Library)
- ❌ spring-web-6.1.6.jar (Vulnerable Library)
Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262
Found in base branch: master
Vulnerability Details
Applications that parse ETags from "If-Match" or "If-None-Match" request headers are vulnerable to DoS attack.
Users of affected versions should upgrade to the corresponding fixed version.
Users of older, unsupported versions could enforce a size limit on "If-Match" and "If-None-Match" headers, e.g. through a Filter.
Publish Date: 2024-09-27
URL: CVE-2024-38809
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2024-38809
Release Date: 2024-09-27
Fix Resolution (org.springframework:spring-web): 6.1.12
Direct dependency fix Resolution (org.springframework.security:spring-security-web): 6.2.6
Step up your Open Source Security Game with Mend here
CVE-2024-38827
Vulnerable Library - spring-security-web-6.2.4.jar
Spring Security
Library home page: https://spring.io/projects/spring-security
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/6.2.4/spring-security-web-6.2.4.jar
Dependency Hierarchy:
- ❌ spring-security-web-6.2.4.jar (Vulnerable Library)
Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262
Found in base branch: master
Vulnerability Details
The usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in authorization rules not working properly.
Publish Date: 2024-12-02
URL: CVE-2024-38827
CVSS 3 Score Details (4.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2024-38827
Release Date: 2024-12-02
Fix Resolution: 6.2.8
Step up your Open Source Security Game with Mend here
CVE-2026-41839
Vulnerable Library - spring-web-6.1.6.jar
Spring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/6.1.6/spring-web-6.1.6.jar
Dependency Hierarchy:
- spring-security-web-6.2.4.jar (Root Library)
- ❌ spring-web-6.1.6.jar (Vulnerable Library)
Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262
Found in base branch: master
Vulnerability Details
A WebFlux application with a compromised subdomain (for example, compromised via cross-site scripting (XSS)) is vulnerable to an escalation attack exchanging a known session ID for that of an authenticated user.
Affected versions:
Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
Publish Date: 2026-06-09
URL: CVE-2026-41839
CVSS 3 Score Details (4.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2026-41839
Release Date: 2026-06-09
Fix Resolution: org.springframework:spring-websocket:7.0.8,org.springframework:spring-web:7.0.8,https://github.com/spring-projects/spring-framework.git - v6.2.19,https://github.com/spring-projects/spring-framework.git - v7.0.8,org.springframework:spring-web:6.2.19,org.springframework:spring-websocket:6.2.19
Step up your Open Source Security Game with Mend here
CVE-2024-38820
Vulnerable Library - spring-web-6.1.6.jar
Spring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/6.1.6/spring-web-6.1.6.jar
Dependency Hierarchy:
- spring-security-web-6.2.4.jar (Root Library)
- ❌ spring-web-6.1.6.jar (Vulnerable Library)
Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262
Found in base branch: master
Vulnerability Details
The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected.
Publish Date: 2024-10-18
URL: CVE-2024-38820
CVSS 3 Score Details (3.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2024-38820
Release Date: 2024-10-18
Fix Resolution: org.springframework:spring-context:6.1.14
Step up your Open Source Security Game with Mend here
CVE-2026-22735
Vulnerable Library - spring-web-6.1.6.jar
Spring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/6.1.6/spring-web-6.1.6.jar
Dependency Hierarchy:
- spring-security-web-6.2.4.jar (Root Library)
- ❌ spring-web-6.1.6.jar (Vulnerable Library)
Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262
Found in base branch: master
Vulnerability Details
Spring MVC and WebFlux applications are vulnerable to stream corruption when using Server-Sent Events (SSE). This issue affects Spring Foundation: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46.
Publish Date: 2026-03-19
URL: CVE-2026-22735
CVSS 3 Score Details (2.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2026-22735
Release Date: 2026-03-19
Fix Resolution: org.springframework:spring-webmvc:7.0.6,https://github.com/spring-projects/spring-framework.git - v7.0.6,https://github.com/spring-projects/spring-framework.git - v6.1.21,org.springframework:spring-web:7.0.6,org.springframework:spring-web:6.2.17,org.springframework:spring-webmvc:6.2.17,https://github.com/spring-projects/spring-framework.git - v6.2.17
Step up your Open Source Security Game with Mend here
Spring Security
Library home page: https://spring.io/projects/spring-security
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/6.2.4/spring-security-web-6.2.4.jar
Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - spring-security-web-6.2.4.jar
Spring Security
Library home page: https://spring.io/projects/spring-security
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/6.2.4/spring-security-web-6.2.4.jar
Dependency Hierarchy:
Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262
Found in base branch: master
Vulnerability Details
When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written.
This issue affects Spring Security Servlet applications using lazy (default) writing of HTTP Headers:
: from 5.7.0 through 5.7.21, from 5.8.0 through 5.8.23, from 6.3.0 through 6.3.14, from 6.4.0 through 6.4.14, from 6.5.0 through 6.5.8, from 7.0.0 through 7.0.3.
Publish Date: 2026-03-19
URL: CVE-2026-22732
CVSS 3 Score Details (9.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-03-19
Fix Resolution: https://github.com/spring-projects/spring-security.git - 7.0.4,https://github.com/spring-projects/spring-security.git - 6.5.9
Step up your Open Source Security Game with Mend here
Vulnerable Library - spring-security-web-6.2.4.jar
Spring Security
Library home page: https://spring.io/projects/spring-security
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/6.2.4/spring-security-web-6.2.4.jar
Dependency Hierarchy:
Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262
Found in base branch: master
Vulnerability Details
Spring WebFlux applications that have Spring Security authorization rules on static resources can be bypassed under certain circumstances.
For this to impact an application, all of the following must be true: It must be a WebFlux application, It must be using Spring's static resources support, and it must have a non-permitAll authorization rule applied to the static resources support.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2024-10-28
URL: CVE-2024-38821
CVSS 3 Score Details (9.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-c4q5-6c82-3qpw
Release Date: 2024-10-28
Fix Resolution: org.springframework.security:spring-security-web:6.3.4,org.springframework.security:spring-security-web:5.8.15,org.springframework.security:spring-security-web:6.2.7,https://github.com/spring-projects/spring-security.git - 5.7.13,https://github.com/spring-projects/spring-security.git - 5.8.15,https://github.com/spring-projects/spring-security.git - 6.2.7,org.springframework.security:spring-security-web:5.7.13,https://github.com/spring-projects/spring-security.git - 6.3.4
Step up your Open Source Security Game with Mend here
Vulnerable Library - spring-web-6.1.6.jar
Spring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/6.1.6/spring-web-6.1.6.jar
Dependency Hierarchy:
Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262
Found in base branch: master
Vulnerability Details
Due to incorrect escaping, the use of JavaScriptUtils.javaScriptEscape() may lead to JavaScript code injection in the browser, potentially resulting in a cross-site scripting (XSS) vulnerability.
Affected versions:
Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
Publish Date: 2026-06-09
URL: CVE-2026-41845
CVSS 3 Score Details (7.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2026-41845
Release Date: 2026-06-09
Fix Resolution: org.springframework:spring-web:6.2.19,https://github.com/spring-projects/spring-framework.git - v6.2.19,org.springframework:spring-web:7.0.8,https://github.com/spring-projects/spring-framework.git - v7.0.8
Step up your Open Source Security Game with Mend here
Vulnerable Library - spring-web-6.1.6.jar
Spring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/6.1.6/spring-web-6.1.6.jar
Dependency Hierarchy:
Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262
Found in base branch: master
Vulnerability Details
A WebFlux server application that processes multipart requests creates temp files for parts larger than 10 K. Under some circumstances, temp files may remain not deleted after the request is fully processed. This allows an attacker to consume available disk space.
Older, unsupported versions are also affected.
Publish Date: 2026-04-29
URL: CVE-2026-22740
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2026-22740
Release Date: 2026-04-18
Fix Resolution: org.springframework:spring-web:6.2.18,https://github.com/spring-projects/spring-framework.git - v7.0.7,org.springframework:spring-web:7.0.7,https://github.com/spring-projects/spring-framework.git - v6.2.18
Step up your Open Source Security Game with Mend here
Vulnerable Library - spring-web-6.1.6.jar
Spring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/6.1.6/spring-web-6.1.6.jar
Dependency Hierarchy:
Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262
Found in base branch: master
Vulnerability Details
In Spring Framework, versions 6.0.x as of 6.0.5, versions 6.1.x and 6.2.x, an application is vulnerable to a reflected file download (RFD) attack when it sets a “Content-Disposition” header with a non-ASCII charset, where the filename attribute is derived from user-supplied input.
Publish Date: 2025-06-12
URL: CVE-2025-41234
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2025-41234
Release Date: 2025-06-11
Fix Resolution (org.springframework:spring-web): 6.1.21
Direct dependency fix Resolution (org.springframework.security:spring-security-web): 6.4.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - spring-web-6.1.6.jar
Spring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/6.1.6/spring-web-6.1.6.jar
Dependency Hierarchy:
Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262
Found in base branch: master
Vulnerability Details
Spring WebFlux applications are vulnerable to Denial of Service (DoS) attacks when processing multipart requests.
Affected versions:
Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
Publish Date: 2026-06-09
URL: CVE-2026-41840
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2026-41840
Release Date: 2026-06-09
Fix Resolution: org.springframework:spring-web:6.2.19,https://github.com/spring-projects/spring-framework.git - v7.0.8,https://github.com/spring-projects/spring-framework.git - v6.2.19,org.springframework:spring-web:7.0.8
Step up your Open Source Security Game with Mend here
Vulnerable Library - spring-web-6.1.6.jar
Spring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/6.1.6/spring-web-6.1.6.jar
Dependency Hierarchy:
Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262
Found in base branch: master
Vulnerability Details
Spring MVC and WebFlux applications are vulnerable to Multipart request smuggling attacks.
Affected versions:
Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
Publish Date: 2026-06-09
URL: CVE-2026-41853
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2026-41853
Release Date: 2026-06-09
Fix Resolution: org.springframework:spring-web:6.2.19,https://github.com/spring-projects/spring-framework.git - v6.2.19,https://github.com/spring-projects/spring-framework.git - v7.0.8,org.springframework:spring-web:7.0.8
Step up your Open Source Security Game with Mend here
Vulnerable Library - spring-web-6.1.6.jar
Spring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/6.1.6/spring-web-6.1.6.jar
Dependency Hierarchy:
Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262
Found in base branch: master
Vulnerability Details
Applications that parse ETags from "If-Match" or "If-None-Match" request headers are vulnerable to DoS attack.
Users of affected versions should upgrade to the corresponding fixed version.
Users of older, unsupported versions could enforce a size limit on "If-Match" and "If-None-Match" headers, e.g. through a Filter.
Publish Date: 2024-09-27
URL: CVE-2024-38809
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2024-38809
Release Date: 2024-09-27
Fix Resolution (org.springframework:spring-web): 6.1.12
Direct dependency fix Resolution (org.springframework.security:spring-security-web): 6.2.6
Step up your Open Source Security Game with Mend here
Vulnerable Library - spring-security-web-6.2.4.jar
Spring Security
Library home page: https://spring.io/projects/spring-security
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/6.2.4/spring-security-web-6.2.4.jar
Dependency Hierarchy:
Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262
Found in base branch: master
Vulnerability Details
The usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in authorization rules not working properly.
Publish Date: 2024-12-02
URL: CVE-2024-38827
CVSS 3 Score Details (4.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2024-38827
Release Date: 2024-12-02
Fix Resolution: 6.2.8
Step up your Open Source Security Game with Mend here
Vulnerable Library - spring-web-6.1.6.jar
Spring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/6.1.6/spring-web-6.1.6.jar
Dependency Hierarchy:
Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262
Found in base branch: master
Vulnerability Details
A WebFlux application with a compromised subdomain (for example, compromised via cross-site scripting (XSS)) is vulnerable to an escalation attack exchanging a known session ID for that of an authenticated user.
Affected versions:
Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
Publish Date: 2026-06-09
URL: CVE-2026-41839
CVSS 3 Score Details (4.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2026-41839
Release Date: 2026-06-09
Fix Resolution: org.springframework:spring-websocket:7.0.8,org.springframework:spring-web:7.0.8,https://github.com/spring-projects/spring-framework.git - v6.2.19,https://github.com/spring-projects/spring-framework.git - v7.0.8,org.springframework:spring-web:6.2.19,org.springframework:spring-websocket:6.2.19
Step up your Open Source Security Game with Mend here
Vulnerable Library - spring-web-6.1.6.jar
Spring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/6.1.6/spring-web-6.1.6.jar
Dependency Hierarchy:
Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262
Found in base branch: master
Vulnerability Details
The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected.
Publish Date: 2024-10-18
URL: CVE-2024-38820
CVSS 3 Score Details (3.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2024-38820
Release Date: 2024-10-18
Fix Resolution: org.springframework:spring-context:6.1.14
Step up your Open Source Security Game with Mend here
Vulnerable Library - spring-web-6.1.6.jar
Spring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/6.1.6/spring-web-6.1.6.jar
Dependency Hierarchy:
Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262
Found in base branch: master
Vulnerability Details
Spring MVC and WebFlux applications are vulnerable to stream corruption when using Server-Sent Events (SSE). This issue affects Spring Foundation: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46.
Publish Date: 2026-03-19
URL: CVE-2026-22735
CVSS 3 Score Details (2.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2026-22735
Release Date: 2026-03-19
Fix Resolution: org.springframework:spring-webmvc:7.0.6,https://github.com/spring-projects/spring-framework.git - v7.0.6,https://github.com/spring-projects/spring-framework.git - v6.1.21,org.springframework:spring-web:7.0.6,org.springframework:spring-web:6.2.17,org.springframework:spring-webmvc:6.2.17,https://github.com/spring-projects/spring-framework.git - v6.2.17
Step up your Open Source Security Game with Mend here