org.springframework.security:spring-security-core (Maven) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the Maven package org.springframework.security:spring-security-core, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (31)
CVE-2022-22978 — CVSS 9.8 (critical): In spring security versions prior to 5.4.11+, 5.5.7+ , 5.6.4+ and older unsupported versions, RegexRequestMatcher can easily be…
CVE-2014-3527 — CVSS 9.8 (critical): When using the CAS Proxy ticket authentication from Spring Security 3.1 to 3.2.4 a malicious CAS Service could trick another CAS Service…
CVE-2022-31692 — CVSS 9.8 (critical): Spring Security, versions 5.7 prior to 5.7.5 and 5.6 prior to 5.6.9 could be susceptible to authorization rules bypass via forward or…
CVE-2025-41232 — CVSS 9.1 (critical): Spring Security Aspects may not correctly locate method security annotations on private methods. This can cause an authorization bypass…
CVE-2020-5407 — CVSS 8.8 (high): Spring Security versions 5.2.x prior to 5.2.4 and 5.3.x prior to 5.3.2 contain a signature wrapping vulnerability during SAML response…
CVE-2024-22257 — CVSS 8.2 (high): In Spring Security, versions 5.7.x prior to 5.7.12, 5.8.x prior to 5.8.11, versions 6.0.x prior to 6.0.9, versions 6.1.x prior to 6.1.8…
CVE-2017-4995 — CVSS 8.1 (high): An issue was discovered in Pivotal Spring Security 4.2.0.RELEASE through 4.2.2.RELEASE, and Spring Security 5.0.0.M1. When configured to…
CVE-2025-41248 — CVSS 7.5 (high): The Spring Security annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a…
CVE-2016-5007 — CVSS 7.5 (high): Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization…
CVE-2016-9879 — CVSS 7.5 (high): An issue was discovered in Pivotal Spring Security before 3.2.10, 4.1.x before 4.1.4, and 4.2.x before 4.2.1. Spring Security does not…
CVE-2021-22119 — CVSS 7.5 (high): Spring Security versions 5.5.x prior to 5.5.1, 5.4.x prior to 5.4.7, 5.3.x prior to 5.3.10 and 5.2.x prior to 5.2.11 are susceptible to a…
CVE-2018-15801 — CVSS 7.4 (high): Spring Security versions 5.1.x prior to 5.1.2 contain an authorization bypass vulnerability during JWT issuer validation. In order to be…
CVE-2024-22234 — CVSS 7.4 (high): In Spring Security, versions 6.1.x prior to 6.1.7 and versions 6.2.x prior to 6.2.2, an application is vulnerable to broken access control…
CVE-2019-11272 — CVSS 7.3 (high): Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder…
CVE-2014-0097 — CVSS 7.3 (high): The ActiveDirectoryLdapAuthenticator in Spring Security 3.2.0 to 3.2.1 and 3.1.0 to 3.1.5 does not check the password length. If the…
CVE-2011-2894 — CVSS 6.8 (medium): Spring Framework 3.0.0 through 3.0.5, Spring Security 3.0.0 through 3.0.5 and 2.0.0 through 2.0.6, and possibly other versions deserialize…
CVE-2020-5408 — CVSS 6.5 (medium): Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16…
CVE-2024-38810 — CVSS 6.5 (medium): Missing Authorization When Using @AuthorizeReturnObject in Spring Security 6.3.0 and 6.3.1 allows attacker to render security annotations…
CVE-2023-20862 — CVSS 6.3 (medium): In Spring Security, versions 5.7.x prior to 5.7.8, versions 5.8.x prior to 5.8.3, and versions 6.0.x prior to 6.0.3, the logout support…
CVE-2018-1199 — CVSS 5.3 (medium): Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14…
CVE-2025-22223 — CVSS 5.3 (medium): Spring Security 6.4.0 - 6.4.3 may not correctly locate method security annotations on parameterized types or methods. This may cause an…
CVE-2022-22976 — CVSS 5.3 (medium): Spring Security versions 5.5.x prior to 5.5.7, 5.6.x prior to 5.6.4, and earlier unsupported versions contain an integer overflow…
CVE-2019-3795 — CVSS 5.3 (medium): Spring Security versions 4.2.x prior to 4.2.12, 5.0.x prior to 5.0.12, and 5.1.x prior to 5.1.5 contain an insecure randomness…
CVE-2025-22234 — CVSS 5.3 (medium): The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow…
CVE-2011-2731 — CVSS 5.1 (medium): Race condition in the RunAsManager mechanism in VMware SpringSource Spring Security before 2.0.7 and 3.0.x before 3.0.6 stores the…
CVE-2010-3700 — CVSS 5.0 (medium): VMware SpringSource Spring Security 2.x before 2.0.6 and 3.x before 3.0.4, and Acegi Security 1.0.0 through 1.0.7, as used in IBM WebSphere…
CVE-2012-5055 — CVSS 5.0 (medium): DaoAuthenticationProvider in VMware SpringSource Spring Security before 2.0.8, 3.0.x before 3.0.8, and 3.1.x before 3.1.3 does not check…
CVE-2024-38827 — CVSS 4.8 (medium): The usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in…
CVE-2026-22751 — CVSS 4.8 (medium): Vulnerability in Spring Spring Security. Applications that explicitly configure One-Time Token login with JdbcOneTimeTokenService are…
CVE-2011-2732 — CVSS 4.3 (medium): CRLF injection vulnerability in the logout functionality in VMware SpringSource Spring Security before 2.0.7 and 3.0.x before 3.0.6 allows…
CVE-2026-22746 — CVSS 3.7 (low): Vulnerability in Spring Spring Security. If an application is using the UserDetails#isEnabled, #isAccountNonExpired, or #isAccountNonLocked…