CVE-2026-22741— Static resource cache poisoning in Spring MVC and WebFlux
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-22741
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Static resource cache poisoning in Spring MVC and WebFlux
Source: NVD (National Vulnerability Database)
Vulnerability Description
Spring MVC and WebFlux applications are vulnerable to cache poisoning when resolving static resources. More precisely, an application can be vulnerable when all the following are true: * the application is using Spring MVC or Spring WebFlux * the application is configuring the resource chain support https://docs.spring.io/spring-framework/reference/web/webmvc/mvc-config/static-resources.html#page-title with caching enabled * the application adds support for encoded resources resolution * the resource cache must be empty when the attacker has access to the application When all the conditions above are met, the attacker can send malicious requests and poison the resource cache with resources using the wrong encoding. This can cause a denial of service by breaking the front-end application for clients.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L
Source: NVD (National Vulnerability Database)
Vulnerability Type
通过缓存导致的信息暴露
Source: NVD (National Vulnerability Database)
Vulnerability Title
VMware Spring Framework 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
VMware Spring Framework是美国威睿(VMware)公司的一套开源的Java、JavaEE应用程序框架。该框架可帮助开发人员构建高质量的应用。 VMware Spring Framework存在安全漏洞,该漏洞源于解析静态资源时缓存投毒,可能导致拒绝服务攻击。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| VMware | Spring Framework | 7.0.0 ~ 7.0.7 | - |
II. Public POCs for CVE-2026-22741
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-22741
请登录查看更多情报信息。
Same Patch Batch · VMware · 2026-04-29 · 3 CVEs total
| CVE-2026-22740 | 6.5 MEDIUM | Spring Framework DoS with Multipart Temp Files in WebFlux |
| CVE-2026-22745 | 5.3 MEDIUM | CVE-2026-22745 : Denial of service in static resource handling on Windows platforms |
IV. Related Vulnerabilities
Same product: Spring Framework
- CVE-2026-22745
CVE-2026-22745 : Denial of service in static resource handli - CVE-2026-22740
Spring Framework DoS with Multipart Temp Files in WebFlux - CVE-2026-22737
Spring Framework Improper Path Limitation with Script View T - CVE-2025-41254
Spring Framework STOMP CSRF Vulnerability - CVE-2025-41249
CVE-2025-41249: Spring Framework Annotation Detection Vulner
Same vendor: VMware
- CVE-2026-22745
CVE-2026-22745 : Denial of service in static resource handli - CVE-2026-22740
Spring Framework DoS with Multipart Temp Files in WebFlux - CVE-2026-40966
VectorStoreChatMemoryAdvisor conversation scoping can lead t - CVE-2026-22750
SSL bundle configuration silently bypassed in Spring Cloud G - CVE-2026-22732
Under Some Conditions Spring Security HTTP Headers Are not W
Same weakness: CWE-524
- CVE-2026-6907
Potential exposure of private data due to incorrect handling - CVE-2025-14806
IBM Planning Analytics Information Disclosure - CVE-2026-27205
Flask session does not add `Vary: Cookie` header when access - CVE-2026-25540
Mastodon's signature-dependent ActivityPub collection respon - CVE-2026-24472
Hono cache middleware ignores "Cache-Control: private" leadi
V. Comments for CVE-2026-22741
No comments yet