org.springframework:spring-web (Maven) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the Maven package org.springframework:spring-web, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (12)
CVE-2016-1000027 — CVSS 9.8 (critical): Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of…
CVE-2024-22262 — CVSS 8.1 (high): Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation…
CVE-2024-22259 — CVSS 8.1 (high): Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL (e.g. through a query parameter) AND…
CVE-2024-22243 — CVSS 8.1 (high): Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation…
CVE-2021-22118 — CVSS 7.8 (high): In Spring Framework, versions 5.2.x prior to 5.2.15 and versions 5.3.x prior to 5.3.7, a WebFlux application is vulnerable to a privilege…
CVE-2013-6429 — CVSS 6.8 (medium): The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external…
CVE-2025-41234 — CVSS 6.5 (medium): Description In Spring Framework, versions 6.0.x as of 6.0.5, versions 6.1.x and 6.2.x, an application is vulnerable to a reflected file…
CVE-2018-11039 — CVSS 5.9 (medium): Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to…
CVE-2015-3192 — CVSS 5.5 (medium): Pivotal Spring Framework before 3.2.14 and 4.x before 4.1.7 do not properly process inline DTD declarations when DTD is not entirely…
CVE-2013-6430 — CVSS 5.4 (medium): The JavaScriptUtils.javaScriptEscape method in web/util/JavaScriptUtils.java in Spring MVC in Spring Framework before 3.2.2 does not…
CVE-2024-38809 — CVSS 5.3 (medium): Applications that parse ETags from "If-Match" or "If-None-Match" request headers are vulnerable to DoS attack. Users of affected versions…
CVE-2024-38820 — CVSS 3.1 (low): The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale…