Spring — Vulnerabilities & Security Advisories 77

Browse all 77 CVE security advisories affecting Spring. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Spring is a widely adopted Java framework designed for building enterprise-level applications, serving as the backbone for numerous critical web services. Its extensive ecosystem has historically exposed developers to diverse security risks, particularly Remote Code Execution (RCE) and Server-Side Request Forgery (SSRF), stemming from complex request handling and deserialization flaws. While Cross-Site Scripting (XSS) and privilege escalation issues also appear in the record, the most severe incidents involve critical RCE vulnerabilities that allow attackers to execute arbitrary code on affected servers. The framework’s modular nature means vulnerabilities in specific components, such as Spring Boot or Spring Security, can impact the entire application stack. With 72 recorded CVEs, maintaining strict dependency updates and adhering to secure coding practices are essential for mitigating these persistent threats in production environments.

CVEs 77

CVE ID	Title	CVSS	Severity	Published
CVE-2026-22754	ervlet Path Not Correctly Included in Path Matching of XML Authorization Rules — Spring Security	7.5	High	2026-04-22
CVE-2026-22753	Servlet Path Not Correctly Included in Path Matching of HttpSecurity#securityMatchers — Spring Security	7.5	High	2026-04-22
CVE-2026-22748	Potential Security Misconfiguration when Using withIssuerLocation — Spring Security	5.3	Medium	2026-04-22
CVE-2026-22747	Unauthorized User Impersonation when Using X.509 Client Certificates — Spring Security	6.8	Medium	2026-04-22
CVE-2026-22746	User Attribute Enumeration when Using DaoAuthenticationProvider — Spring Security	3.7	Low	2026-04-22
CVE-2026-22751	Spring Security JdbcOneTimeTokenService allows a one-time token to authenticate multiple sessions — Spring Security	4.8	Medium	2026-04-21
CVE-2026-22733	Authentication Bypass under Actuator CloudFoundry endpoints — Spring SecurityCWE-288	8.2	High	2026-03-19
CVE-2025-22234	Spring Security - BCrypt Password Encoder maximum password length breaks timing attack mitigation — Spring SecurityCWE-208	5.3	Medium	2026-01-22
CVE-2025-41232	CVE-2025-41232: Spring Security authorization bypass for method security annotations on private methods — Spring Security	9.1	Critical	2025-05-21
CVE-2025-22223	VMware Spring Security 安全漏洞 — Spring SecurityCWE-290	5.3	Medium	2025-03-24
CVE-2025-22228	CVE-2025-22228: Spring Security BCryptPasswordEncoder does not enforce maximum password length — Spring Security	7.4	High	2025-03-20
CVE-2024-38810	Missing Authorization When Using @AuthorizeReturnObject — spring securityCWE-287	6.5	Medium	2024-08-20
CVE-2024-22234	CVE-2024-22234: Broken Access Control in Spring Security With Direct Use of isFullyAuthenticated — Spring Security	7.4	High	2024-02-20
CVE-2019-11272	PlaintextPasswordEncoder authenticates encoded passwords that are null — Spring SecurityCWE-287	7.7	-	2019-06-26
CVE-2019-3795	Insecure Randomness When Using a SecureRandom Instance Constructed by Spring Security — Spring SecurityCWE-330	6.5	-	2019-04-09

This page lists every published CVE security advisory associated with Spring. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.

Goal Reached Thanks to every supporter — we hit 100%!

Spring — Vulnerabilities & Security Advisories 77