Vulnerability in Spring Framework
CVE-2026-22737
Use of Java scripting engine enabled (e.g. JRuby, Jython) template views in Spring MVC and Spring WebFlux applications can result in disclosure of content from files outside the configured locations for script template views. This issue af…
EPSS: 0.001 (26.5th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 5.9 (Medium). Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N.
Affected products
- Spring Framework — versions 7.0.0, 6.2.0, 6.1.0
References
Frequently asked questions
- What is CVE-2026-22737?
- CVE-2026-22737 is a medium-severity vulnerability in Spring Framework. CVSS score: 5.9/10. Published 2026-03-19.
- How severe is CVE-2026-22737?
- Medium severity. CVSS v3 base score is 5.9 out of 10.