org.springframework:spring-webmvc (Maven) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the Maven package org.springframework:spring-webmvc, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVE-2014-0225 — CVSS 8.8 (high): When processing user provided XML documents, the Spring Framework 4.0.0 to 4.0.4, 3.0.0 to 3.2.8, and possibly earlier unsupported versions…
CVE-2016-9878 — CVSS 7.5 (high): An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the…
CVE-2024-38816 — CVSS 7.5 (high): Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal…
CVE-2024-38819 — CVSS 7.5 (high): Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal…
CVE-2020-5398 — CVSS 7.5 (high): In Spring Framework, versions 5.2.x prior to 5.2.3, versions 5.1.x prior to 5.1.13, and versions 5.0.x prior to 5.0.16, an application is…
CVE-2023-20860 — CVSS 7.5 (high): Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25 using "**" as a pattern in Spring Security configuration with the…
CVE-2014-0054 — CVSS 6.8 (medium): The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external…
CVE-2026-22737 — CVSS 5.9 (medium): Use of Java scripting engine enabled (e.g. JRuby, Jython) template views in Spring MVC and Spring WebFlux applications can result in…
CVE-2025-41242 — CVSS 5.9 (medium): Spring Framework MVC applications can be vulnerable to a “Path Traversal Vulnerability” when deployed on a non-compliant Servlet…
CVE-2026-22745 — CVSS 5.3 (medium): Spring MVC and WebFlux applications are vulnerable to Denial of Service attacks when resolving static resources. More precisely, an…
CVE-2020-5397 — CVSS 5.3 (medium): Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CSRF attacks through CORS preflight requests that target Spring MVC…
CVE-2023-34053 — CVSS 5.3 (medium): In Spring Framework versions 6.0.0 - 6.0.13, it is possible for a user to provide specially crafted HTTP requests that may cause a…
CVE-2024-38828 — CVSS 5.3 (medium): Spring MVC controller methods with an @RequestBody byte[] method parameter are vulnerable to a DoS attack.
CVE-2014-3625 — CVSS 5.0 (medium): Directory traversal vulnerability in Pivotal Spring Framework 3.0.4 through 3.2.x before 3.2.12, 4.0.x before 4.0.8, and 4.1.x before 4.1.2…
CVE-2014-1904 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in web/servlet/tags/form/FormTag.java in Spring MVC in Spring Framework 3.0.0 before 3.2.8 and…
CVE-2026-22741 — CVSS 3.1 (low): Spring MVC and WebFlux applications are vulnerable to cache poisoning when resolving static resources. More precisely, an application can…
CVE-2026-22735 — CVSS 2.6 (low): Spring MVC and WebFlux applications are vulnerable to stream corruption when using Server-Sent Events (SSE). This issue affects Spring…