Every CVE whose affected-product data names Vmware Spring Boot, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (18)
CVE-2023-20873 — CVSS 9.8 (critical): In Spring Boot versions 3.0.0 - 3.0.5, 2.7.0 - 2.7.10, and older unsupported versions, an application that is deployed to Cloud Foundry…
CVE-2021-26987 — CVSS 9.8 (critical): Element Plug-in for vCenter Server incorporates SpringBoot Framework. SpringBoot Framework versions prior to 1.3.2 are susceptible to a…
CVE-2017-8046 — CVSS 9.8 (critical): Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay…
CVE-2026-40976 — CVSS 9.1 (critical): In certain circumstances, Spring Boot's default web security is ineffective allowing unauthorized access to all endpoints. For an…
CVE-2026-22733 — CVSS 8.2 (high): Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that…
CVE-2026-22731 — CVSS 8.2 (high): Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that…
CVE-2022-27772 — CVSS 7.8 (high): spring-boot versions prior to version v2.2.11.RELEASE was vulnerable to temporary directory hijacking. This vulnerability impacted the…
CVE-2023-20883 — CVSS 7.5 (high): In Spring Boot versions 3.0.0 - 3.0.6, 2.7.0 - 2.7.11, 2.6.0 - 2.6.14, 2.5.0 - 2.5.14 and older unsupported versions, there is potential…
CVE-2026-40972 — CVSS 7.5 (high): An attacker on the same network as the remote application may be able to utilize a timing attack to discover information about the remote…
CVE-2023-22602 — CVSS 7.5 (high): When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass…
CVE-2026-40973 — CVSS 7.0 (high): A local attacker on the same host as the application may be able to take control of the directory used by `ApplicationTemp`. When…
CVE-2018-1196 — CVSS 5.9 (medium): Spring Boot supports an embedded launch script that can be used to easily run the application as a systemd or init.d linux service. The…
CVE-2023-34055 — CVSS 5.3 (medium): In Spring Boot versions 2.7.0 - 2.7.17, 3.0.0-3.0.12 and 3.1.0-3.1.5, it is possible for a user to provide specially crafted HTTP requests…
CVE-2026-40974 — CVSS 5.0 (medium): Spring Boot's Cassandra auto-configuration does not perform hostname verification when establishing an SSL connection to Cassandra…
CVE-2026-40971 — CVSS 5.0 (medium): When configured to use an SSL bundle, Spring Boot's RabbitMQ auto-configuration does not perform hostname verification when connecting to…
CVE-2026-40970 — CVSS 5.0 (medium): When configured to use an SSL bundle, Spring Boot's Elasticsearch auto-configuration does not perform hostname verification when connecting…
CVE-2026-40975 — CVSS 4.8 (medium): Values produced by ${random.value} are not suitable for use as secrets. ${random.uuid} is not affected. ${random.int} and ${random.long}…
CVE-2026-40977 — CVSS 4.7 (medium): When an application is configured to use `ApplicationPidFileWriter`, a local attacker with write access to the PID file's location can…