org.springframework.security:spring-security-config (Maven) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the Maven package org.springframework.security:spring-security-config, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (5)
CVE-2023-34034 — CVSS 9.1 (critical): Using "**" as a pattern in Spring Security configuration for WebFlux creates a mismatch in pattern matching between Spring Security and…
CVE-2026-22753 — CVSS 7.5 (high): Vulnerability in Spring Spring Security. If an application is using securityMatchers(String) and a PathPatternRequestMatcher.Builder bean…
CVE-2026-22754 — CVSS 7.5 (high): Vulnerability in Spring Spring Security. If an application uses <sec:intercept-url servlet-path="/servlet-path" pattern="/endpoint/**"/> to…
CVE-2023-34035 — CVSS 7.3 (high): Spring Security versions 5.8 prior to 5.8.5, 6.0 prior to 6.0.5, and 6.1 prior to 6.1.2 could be susceptible to authorization rule…
CVE-2023-34042 — CVSS 4.1 (medium): The spring-security.xsd file inside the spring-security-config jar is world writable which means that if it were extracted it could be…