org.springframework:spring-webflux (Maven) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the Maven package org.springframework:spring-webflux, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVE-2020-5398 — CVSS 7.5 (high): In Spring Framework, versions 5.2.x prior to 5.2.3, versions 5.1.x prior to 5.1.13, and versions 5.0.x prior to 5.0.16, an application is…
CVE-2024-38816 — CVSS 7.5 (high): Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal…
CVE-2024-38819 — CVSS 7.5 (high): Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal…
CVE-2026-22740 — CVSS 6.5 (medium): A WebFlux server application that processes multipart requests creates temp files for parts larger than 10 K. Under some circumstances…
CVE-2026-22737 — CVSS 5.9 (medium): Use of Java scripting engine enabled (e.g. JRuby, Jython) template views in Spring MVC and Spring WebFlux applications can result in…
CVE-2020-5397 — CVSS 5.3 (medium): Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CSRF attacks through CORS preflight requests that target Spring MVC…
CVE-2026-22745 — CVSS 5.3 (medium): Spring MVC and WebFlux applications are vulnerable to Denial of Service attacks when resolving static resources. More precisely, an…
CVE-2026-22741 — CVSS 3.1 (low): Spring MVC and WebFlux applications are vulnerable to cache poisoning when resolving static resources. More precisely, an application can…
CVE-2026-22735 — CVSS 2.6 (low): Spring MVC and WebFlux applications are vulnerable to stream corruption when using Server-Sent Events (SSE). This issue affects Spring…