org.springframework.boot:spring-boot (Maven) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the Maven package org.springframework.boot:spring-boot, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (5)
CVE-2026-40976 — CVSS 9.1 (critical): In certain circumstances, Spring Boot's default web security is ineffective allowing unauthorized access to all endpoints. For an…
CVE-2022-27772 — CVSS 7.8 (high): spring-boot versions prior to version v2.2.11.RELEASE was vulnerable to temporary directory hijacking. This vulnerability impacted the…
CVE-2025-22235 — CVSS 7.3 (high): EndpointRequest.to() creates a matcher for null/** if the actuator endpoint, for which the EndpointRequest has been created, is disabled or…
CVE-2026-40973 — CVSS 7.0 (high): A local attacker on the same host as the application may be able to take control of the directory used by `ApplicationTemp`. When…
CVE-2018-1196 — CVSS 5.9 (medium): Spring Boot supports an embedded launch script that can be used to easily run the application as a systemd or init.d linux service. The…