Vmware Spring Framework — known CVE vulnerabilities
Every CVE whose affected-product data names Vmware Spring Framework, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (65)
CVE-2016-1000027 — CVSS 9.8 (critical): Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of…
CVE-2018-1270 — CVSS 9.8 (critical): Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose…
CVE-2018-1275 — CVSS 9.8 (critical): Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.16 and older unsupported versions, allow applications to expose…
CVE-2015-5211 — CVSS 9.6 (critical): Under some situations, the Spring Framework 4.2.0 to 4.2.1, 4.0.0 to 4.1.7, 3.2.0 to 3.2.14 and older unsupported versions is vulnerable to…
CVE-2018-1258 — CVSS 8.8 (high): Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using…
CVE-2014-0225 — CVSS 8.8 (high): When processing user provided XML documents, the Spring Framework 4.0.0 to 4.0.4, 3.0.0 to 3.2.8, and possibly earlier unsupported versions…
CVE-2026-41855 — CVSS 8.1 (high): In an untrusted JMS environment, org.springframework.jms.support.converter.MappingJackson2MessageConverter and org.springframework.jms.suppo…
CVE-2024-22259 — CVSS 8.1 (high): Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL (e.g. through a query parameter) AND…
CVE-2021-22118 — CVSS 7.8 (high): In Spring Framework, versions 5.2.x prior to 5.2.15 and versions 5.3.x prior to 5.3.7, a WebFlux application is vulnerable to a privilege…
CVE-2026-41849 — CVSS 7.5 (high): An integer overflow vulnerability exists in the evaluation logic of the Spring Expression Language (SpEL). An attacker can exploit this by…
CVE-2024-22233 — CVSS 7.5 (high): In Spring Framework versions 6.0.15 and 6.1.2, it is possible for a user to provide specially crafted HTTP requests that may cause a…
CVE-2026-41850 — CVSS 7.5 (high): Applications that evaluate user-supplied Spring Expression Language (SpEL) expressions are vulnerable to an Algorithmic Denial of Service…
CVE-2016-5007 — CVSS 7.5 (high): Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization…
CVE-2016-9878 — CVSS 7.5 (high): An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the…
CVE-2026-41842 — CVSS 7.5 (high): Spring MVC and WebFlux applications are vulnerable to Denial of Service (DoS) attacks when resolving static resources. Affected versions…
CVE-2018-11040 — CVSS 7.5 (high): Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable…
CVE-2023-20860 — CVSS 7.5 (high): Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25 using "**" as a pattern in Spring Security configuration with the…
CVE-2018-1272 — CVSS 7.5 (high): Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support…
CVE-2018-15756 — CVSS 7.5 (high): Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x…
CVE-2020-5398 — CVSS 7.5 (high): In Spring Framework, versions 5.2.x prior to 5.2.3, versions 5.1.x prior to 5.1.13, and versions 5.0.x prior to 5.0.16, an application is…
CVE-2018-15801 — CVSS 7.4 (high): Spring Security versions 5.1.x prior to 5.1.2 contain an authorization bypass vulnerability during JWT issuer validation. In order to be…
CVE-2026-41845 — CVSS 7.1 (high): Due to incorrect escaping, the use of JavaScriptUtils.javaScriptEscape() may lead to JavaScript code injection in the browser, potentially…
CVE-2011-2894 — CVSS 6.8 (medium): Spring Framework 3.0.0 through 3.0.5, Spring Security 3.0.0 through 3.0.5 and 2.0.0 through 2.0.6, and possibly other versions deserialize…
CVE-2014-0054 — CVSS 6.8 (medium): The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external…
CVE-2013-4152 — CVSS 6.8 (medium): The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution…
CVE-2013-6429 — CVSS 6.8 (medium): The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external…
CVE-2013-7315 — CVSS 6.8 (medium): The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX…
CVE-2023-20863 — CVSS 6.5 (medium): In spring framework versions prior to 5.2.24 release+ ,5.3.27+ and 6.0.8+ , it is possible for a user to provide a specially crafted SpEL…
CVE-2026-22740 — CVSS 6.5 (medium): A WebFlux server application that processes multipart requests creates temp files for parts larger than 10 K. Under some circumstances…
CVE-2018-1257 — CVSS 6.5 (medium): Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to…
CVE-2020-5421 — CVSS 6.5 (medium): In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections…
CVE-2022-22950 — CVSS 6.5 (medium): n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL…
CVE-2022-22971 — CVSS 6.5 (medium): In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, application with a STOMP over WebSocket endpoint is…
CVE-2023-20861 — CVSS 6.5 (medium): In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible…
CVE-2026-22737 — CVSS 5.9 (medium): Use of Java scripting engine enabled (e.g. JRuby, Jython) template views in Spring MVC and Spring WebFlux applications can result in…
CVE-2026-41843 — CVSS 5.9 (medium): Spring MVC and WebFlux applications are vulnerable to Path Traversal attacks when resolving static resources. Affected versions: Spring…
CVE-2018-11039 — CVSS 5.9 (medium): Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to…
CVE-2018-1271 — CVSS 5.9 (medium): Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to…
CVE-2026-41840 — CVSS 5.9 (medium): Spring WebFlux applications are vulnerable to Denial of Service (DoS) attacks when processing multipart requests. Affected versions: Spring…
CVE-2026-41841 — CVSS 5.9 (medium): Spring MVC and WebFlux applications are vulnerable to Information Disclosure attacks when resolving static resources. Affected versions…
CVE-2026-41846 — CVSS 5.9 (medium): Spring MVC applications which accept user-supplied values in the cssClass, cssErrorClass, or cssStyle attributes of JSP form tags allow…
CVE-2015-3192 — CVSS 5.5 (medium): Pivotal Spring Framework before 3.2.14 and 4.x before 4.1.7 do not properly process inline DTD declarations when DTD is not entirely…
CVE-2022-22968 — CVSS 5.3 (medium): In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a…
CVE-2018-1199 — CVSS 5.3 (medium): Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14…
CVE-2020-5397 — CVSS 5.3 (medium): Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CSRF attacks through CORS preflight requests that target Spring MVC…
CVE-2022-22970 — CVSS 5.3 (medium): In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable…
CVE-2023-34053 — CVSS 5.3 (medium): In Spring Framework versions 6.0.0 - 6.0.13, it is possible for a user to provide specially crafted HTTP requests that may cause a…
CVE-2026-22745 — CVSS 5.3 (medium): Spring MVC and WebFlux applications are vulnerable to Denial of Service attacks when resolving static resources. More precisely, an…
CVE-2026-41851 — CVSS 5.3 (medium): Applications which accept user-supplied Spring Expression Language (SpEL) expressions may be vulnerable to a Denial of Service (DoS) attack…
CVE-2026-41853 — CVSS 5.3 (medium): Spring MVC and WebFlux applications are vulnerable to Multipart request smuggling attacks. Affected versions: Spring Framework 7.0.0…
CVE-2015-0201 — CVSS 5.0 (medium): The Java SockJS client in Pivotal Spring Framework 4.1.x before 4.1.5 generates predictable session ids, which allows remote attackers to…
CVE-2014-3625 — CVSS 5.0 (medium): Directory traversal vulnerability in Pivotal Spring Framework 3.0.4 through 3.2.x before 3.2.12, 4.0.x before 4.0.8, and 4.1.x before 4.1.2…
CVE-2026-41847 — CVSS 4.8 (medium): Spring WebFlux applications may be vulnerable to a security bypass when using the Kotlin Router DSL. Affected versions: Spring Framework…
CVE-2026-41838 — CVSS 4.8 (medium): IDs for WebSocket sessions in the spring-websocket module are not cryptographically unpredictable, which may be possible to exploit in…
CVE-2021-22060 — CVSS 4.3 (medium): In Spring Framework versions 5.3.0 - 5.3.13, 5.2.0 - 5.2.18, and older unsupported versions, it is possible for a user to provide malicious…
CVE-2024-38808 — CVSS 4.3 (medium): In Spring Framework versions 5.3.0 - 5.3.38 and older unsupported versions, it is possible for a user to provide a specially crafted Spring…
CVE-2021-22096 — CVSS 4.3 (medium): In Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and older unsupported versions, it is possible for a user to provide malicious…
CVE-2026-41844 — CVSS 4.2 (medium): A Spring MVC or Spring WebFlux application which configures a mapping for "/**" where the view name is not explicitly specified allows an…
CVE-2026-41854 — CVSS 4.2 (medium): Due to incorrect host parsing, applications that rely on UriComponentsBuilder to parse and validate an externally provided URL string may…
CVE-2026-41852 — CVSS 3.7 (low): A vulnerability in Spring Expression Language (SpEL) evaluation logic allows for arbitrary zero-argument method invocation, even within…
CVE-2026-41848 — CVSS 3.7 (low): Applications may be vulnerable to a Regular Expression Denial of Service (ReDoS) attack if an attacker is able to provide a pattern which…
CVE-2026-22741 — CVSS 3.1 (low): Spring MVC and WebFlux applications are vulnerable to cache poisoning when resolving static resources. More precisely, an application can…
CVE-2024-38820 — CVSS 3.1 (low): The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale…
CVE-2026-22735 — CVSS 2.6 (low): Spring MVC and WebFlux applications are vulnerable to stream corruption when using Server-Sent Events (SSE). This issue affects Spring…