CVE-2026-22737

CVE Database · CVE-2026-22737

CVE-2026-22737

· MEDIUMAnalyzed

CVSS v3.1

5.9

EPSS

0.39%

Published

Mar 19, 2026

Modified

Apr 23, 2026

Public PoC / Exploit

All weaponized →

No public PoC or exploit code indexed for this CVE.

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

Use of Java scripting engine enabled (e.g. JRuby, Jython) template views in Spring MVC and Spring WebFlux applications can result in disclosure of content from files outside the configured locations for script template views. This issue affects Spring Framework: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46.

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Weaknesses (CWE)

CWE-22

Affected Products (4)

vmware · spring_framework (up to 5.3.47)vulnerable

vmware · spring_framework (up to 6.1.26)vulnerable

vmware · spring_framework (up to 6.2.17)vulnerable

vmware · spring_framework (up to 7.0.6)vulnerable

References (1)

https://spring.io/security/cve-2026-22737

Vendor Advisory

KEV Catalog EPSS Scores Vendors All CVEs