Home

CVE-2026-22737

Description

Use of Java scripting engine enabled (e.g. JRuby, Jython) template views in Spring MVC and Spring WebFlux applications can result in disclosure of content from files outside the configured locations for script template views.This issue affects Spring Framework: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46.

Risk Information

Base Score
5.9
MODERATE
Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score
Exploitation Probability
0.063

Associated Vulnerability

VulnerabilityOS Platform
Vulnerabilities CVE-2026-22735,CVE-2026-22737 are fixed in Spring-webmvc 7.0.6Windows
Vulnerabilities CVE-2026-22735,CVE-2026-22737 are fixed in Spring-webmvc 6.2.17Windows
Vulnerabilities CVE-2026-22735,CVE-2026-22737 are affected in Spring-webmvc 6.1.21Windows
Vulnerabilities CVE-2026-22735,CVE-2026-22737 are fixed in Spring-webflux 7.0.6Windows
Vulnerabilities CVE-2026-22735,CVE-2026-22737 are fixed in Spring-webflux 6.2.17Windows
Vulnerabilities CVE-2026-22735,CVE-2026-22737 are affected in Spring-webflux 6.1.21Windows
Vulnerabilities CVE-2026-22735,CVE-2026-22737 are fixed in Spring-webmvc for Linux 7.0.6Linux
Vulnerabilities CVE-2026-22735,CVE-2026-22737 are fixed in Spring-webmvc for Linux 6.2.17Linux
Vulnerabilities CVE-2026-22735,CVE-2026-22737 are affected in Spring-webmvc for Linux 6.1.21Linux
Vulnerabilities CVE-2026-22735,CVE-2026-22737 are fixed in Spring-webflux for Linux 7.0.6Linux
Vulnerabilities CVE-2026-22735,CVE-2026-22737 are fixed in Spring-webflux for Linux 6.2.17Linux
Vulnerabilities CVE-2026-22735,CVE-2026-22737 are affected in Spring-webflux for Linux 6.1.21Linux

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234