Spring Spring Framework
10 CVEs affecting Spring Spring Framework. Latest disclosed: 2026-03-19. Critical: 0, High: 5.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2024-22262 | High | 8.1 | 2024-04-16 | Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of th… |
CVE-2024-22259 | High | 8.1 | 2024-03-16 | Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL (e.g. through a query parameter) AND perform validation chec… |
CVE-2024-22243 | High | 8.1 | 2024-02-23 | Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of th… |
CVE-2020-5398 | High | 8.0 | 2020-01-16 | In Spring Framework, versions 5.2.x prior to 5.2.3, versions 5.1.x prior to 5.1.13, and versions 5.0.x prior to 5.0.16, an application is vulnerable to a refle… |
CVE-2024-22233 | High | 7.5 | 2024-01-22 | In Spring Framework versions 6.0.15 and 6.1.2, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) co… |
CVE-2026-22737 | Medium | 5.9 | 2026-03-19 | Use of Java scripting engine enabled (e.g. JRuby, Jython) template views in Spring MVC and Spring WebFlux applications can result in disclosure of content from… |
CVE-2023-34053 | Medium | 5.3 | 2023-11-28 | In Spring Framework versions 6.0.0 - 6.0.13, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) cond… |
CVE-2020-5397 | Medium | 5.3 | 2020-01-17 | Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CSRF attacks through CORS preflight requests that target Spring MVC (spring-webmvc module) or… |
CVE-2024-38808 | Medium | 4.3 | 2024-08-20 | In Spring Framework versions 5.3.0 - 5.3.38 and older unsupported versions, it is possible for a user to provide a specially crafted Spring Expression Language… |
CVE-2025-22233 | Low | 3.1 | 2025-05-16 | CVE-2024-38820 ensured Locale-independent, lowercase conversion for both the configured disallowedFields patterns and for request parameter names. However, the… |