Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Spring — Vulnerabilities & Security Advisories 77

Browse all 77 CVE security advisories affecting Spring. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Spring is a widely adopted Java framework designed for building enterprise-level applications, serving as the backbone for numerous critical web services. Its extensive ecosystem has historically exposed developers to diverse security risks, particularly Remote Code Execution (RCE) and Server-Side Request Forgery (SSRF), stemming from complex request handling and deserialization flaws. While Cross-Site Scripting (XSS) and privilege escalation issues also appear in the record, the most severe incidents involve critical RCE vulnerabilities that allow attackers to execute arbitrary code on affected servers. The framework’s modular nature means vulnerabilities in specific components, such as Spring Boot or Spring Security, can impact the entire application stack. With 72 recorded CVEs, maintaining strict dependency updates and adhering to secure coding practices are essential for mitigating these persistent threats in production environments.

Top products by Spring: Spring Security Spring Boot Spring Framework Spring AI Spring Cloud Config Spring Spring gRPC Spring Security OAuth Spring Data JPA Spring HATEOAS Spring For Apache Kafka Spring for GraphQL Spring AMQP Reactor Netty Spring Cloud Contract Spring Batch Spring Cloud Data Flow Spring LDAP Cloud Gateway CLI VSCode Extension Spring Foundation Spring Cloud Spring Web Services Spring Integration
CVE IDTitleCVSSSeverityPublished
CVE-2026-41705 Spring AI MilvusVectorStore 注入漏洞影响 1.0.x-1.1.x — Spring AICWE-917 8.6 High2026-05-09
CVE-2026-40981 Spring Cloud Config 远程代码执行漏洞 — Spring Cloud ConfigCWE-639 7.5 High2026-05-07
CVE-2026-41002 Spring Cloud Config 多个版本存在TOCTOU漏洞 — Spring Cloud ConfigCWE-367 7.4 High2026-05-07
CVE-2026-41004 Spring Cloud Config多版本敏感信息明文日志泄露 — Spring Cloud ConfigCWE-532 4.4 Medium2026-05-07
CVE-2026-40982 Spring Cloud Config目录遍历漏洞 — Spring Cloud ConfigCWE-22 9.1 Critical2026-05-07
CVE-2026-40969 Spring gRPC AuthenticationException message reflected to remote client — Spring gRPCCWE-209 3.7 Low2026-04-28
CVE-2026-40968 Spring gRPC SecurityContext leaks across requests on authorization failure — Spring gRPCCWE-653 4.3 Medium2026-04-28
CVE-2026-40980 VMware Spring AI 资源管理错误漏洞 — Spring AICWE-400 6.5 Medium2026-04-28
CVE-2026-40979 VMware Spring AI 安全漏洞 — Spring AICWE-377 6.1 Medium2026-04-28
CVE-2026-40978 VMware Spring AI SQL注入漏洞 — Spring AICWE-89 8.8 High2026-04-28
CVE-2026-40967 VMware Spring AI 代码注入漏洞 — Spring AICWE-94 8.6 High2026-04-28
CVE-2026-40977 VMware Spring Boot 后置链接漏洞 — Spring BootCWE-59 4.7 Medium2026-04-27
CVE-2026-40976 VMware Spring Boot 安全漏洞 — Spring BootCWE-862 9.1 Critical2026-04-27
CVE-2026-40975 VMware Spring Boot 安全特征问题漏洞 — Spring BootCWE-330 4.8 Medium2026-04-27
CVE-2026-40974 VMware Spring Boot 信任管理问题漏洞 — Spring BootCWE-295 5.0 Medium2026-04-27
CVE-2026-40973 VMware Spring Boot 安全漏洞 — Spring BootCWE-377 7.0 High2026-04-27
CVE-2026-40972 VMware Spring Boot 安全漏洞 — Spring BootCWE-208 7.5 High2026-04-27
CVE-2026-40971 VMware Spring Boot 信任管理问题漏洞 — Spring BootCWE-295 5.0 Medium2026-04-27
CVE-2026-40970 VMware Spring Boot 信任管理问题漏洞 — Spring BootCWE-295 5.0 Medium2026-04-27
CVE-2026-22754 ervlet Path Not Correctly Included in Path Matching of XML Authorization Rules — Spring Security 7.5 High2026-04-22
CVE-2026-22753 Servlet Path Not Correctly Included in Path Matching of HttpSecurity#securityMatchers — Spring Security 7.5 High2026-04-22
CVE-2026-22748 Potential Security Misconfiguration when Using withIssuerLocation — Spring Security 5.3 Medium2026-04-22
CVE-2026-22747 Unauthorized User Impersonation when Using X.509 Client Certificates — Spring Security 6.8 Medium2026-04-22
CVE-2026-22746 User Attribute Enumeration when Using DaoAuthenticationProvider — Spring Security 3.7 Low2026-04-22
CVE-2026-22751 Spring Security JdbcOneTimeTokenService allows a one-time token to authenticate multiple sessions — Spring Security 4.8 Medium2026-04-21
CVE-2026-22744 VMware Spring AI 安全漏洞 — Spring AI 7.5 High2026-03-27
CVE-2026-22743 Server-Side Request Forgery via Filter Expression Keys in Neo4jVectorStore — Spring AI 7.5 High2026-03-27
CVE-2026-22742 Server-Side Request Forgery in BedrockProxyChatModel via Unvalidated Media URL Fetching — Spring AI 8.6 High2026-03-27
CVE-2026-22738 SpEL Injection via Unescaped Filter Key in SimpleVectorStore Leads to Remote Code Execution — Spring AI 9.8 Critical2026-03-27
CVE-2026-22739 Spring Cloud Config Profile Substitution Can Allow Unintended Access To Files And Enable SSRF Attacks — Spring Cloud 8.6 High2026-03-24

This page lists every published CVE security advisory associated with Spring. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.