Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%
Buy Us a Coffee

Spring Security — Vulnerabilities & Security Advisories 41

All 41 CVE vulnerabilities found in Spring Security, with AI-generated Chinese analysis, references, and POCs.

This is a vulnerability aggregation page for Spring Security, a widely used authentication and access-control framework for Java applications. The page collects information regarding identified security weaknesses, focusing specifically on common vulnerability types such as access control failures, injection flaws, and cryptographic issues. It covers advisory data and known exploits released between January 2020 and the present, ensuring that users have access to both historical context and the most recent threat intelligence. This comprehensive dataset allows developers and security analysts to track a vendor's advisories effectively, helping them stay informed about patching cycles and critical updates. Users can also use this resource to understand the broader implications of specific weakness classes within the Spring ecosystem, gaining insight into how these flaws typically manifest in production environments. Additionally, the page serves as a detailed lookup for a product's vulnerability history, enabling teams to review past incidents and assess the overall security posture of their deployments over time. By consolidating these diverse data points, the page provides a clear, factual reference for evaluating risk and implementing appropriate remediation strategies. This approach supports proactive security management without relying on speculative analysis, offering a straightforward view of the threats associated with Spring Security components and libraries.

Vendor: Pivotal

CVE IDTitleCVSSSeverityPublished
CVE-2026-47838 Unauthorized User Impersonation when Using X.509 Client Certificates CWE-287 6.8 Medium2026-06-09
CVE-2026-41706 Open Redirect When Using CookieRequestCache CWE-601 6.1 Medium2026-06-09
CVE-2026-41694 SAML Payloads Decrypted Without Valid Signature CWE-347 3.7 Low2026-06-09
CVE-2026-41008 Spring Security Authorization Server Open Redirect via request_uri CWE-601 6.1 Medium2026-06-09
CVE-2026-41003 Unencoded HTML Outputs in Spring Security May Allow Cross-Site Scripting CWE-79 7.6 High2026-06-09
CVE-2026-40993 Unfiltered Java Native Deserialization of SAML 2.0 Asserting Party Credentials BLOB Database Entry CWE-502 7.3 High2026-06-09
CVE-2026-40988 Unbounded DEFLATE Inflation in SAML 2.0 Service Provider CWE-400 7.5 High2026-06-09
CVE-2026-22754 ervlet Path Not Correctly Included in Path Matching of XML Authorization Rules 7.5 High2026-04-22
CVE-2026-22753 Servlet Path Not Correctly Included in Path Matching of HttpSecurity#securityMatchers 7.5 High2026-04-22
CVE-2026-22748 Potential Security Misconfiguration when Using withIssuerLocation 5.3 Medium2026-04-22
CVE-2026-22747 Unauthorized User Impersonation when Using X.509 Client Certificates 6.8 Medium2026-04-22
CVE-2026-22746 User Attribute Enumeration when Using DaoAuthenticationProvider 3.7 Low2026-04-22
CVE-2026-22751 Spring Security JdbcOneTimeTokenService allows a one-time token to authenticate multiple sessions 4.8 Medium2026-04-21
CVE-2026-22733 Authentication Bypass under Actuator CloudFoundry endpoints CWE-288 8.2 High2026-03-19
CVE-2026-22732 Under Some Conditions Spring Security HTTP Headers Are not Written 9.1 Critical2026-03-19
CVE-2025-22234 Spring Security - BCrypt Password Encoder maximum password length breaks timing attack mitigation CWE-208 5.3 Medium2026-01-22
CVE-2025-41248 CVE-2025-41248: Spring Security authorization bypass for method security annotations on parameterized types 7.5 High2025-09-16
CVE-2025-41232 CVE-2025-41232: Spring Security authorization bypass for method security annotations on private methods 9.1 Critical2025-05-21
CVE-2025-22223 VMware Spring Security 安全漏洞 CWE-290 5.3 Medium2025-03-24
CVE-2025-22228 CVE-2025-22228: Spring Security BCryptPasswordEncoder does not enforce maximum password length 7.4 High2025-03-20
CVE-2024-38827 Spring Security Authorization Bypass for Case Sensitive Comparisons CWE-639 4.8 Medium2024-12-02
CVE-2024-38810 Missing Authorization When Using @AuthorizeReturnObject CWE-287 6.5 Medium2024-08-20
CVE-2024-22257 VMware Spring Security 安全漏洞 8.2 High2024-03-18
CVE-2024-22234 CVE-2024-22234: Broken Access Control in Spring Security With Direct Use of isFullyAuthenticated 7.4 High2024-02-20
CVE-2023-34042 VMware Spring Security 安全漏洞 4.1 Medium2024-02-05
CVE-2023-34034 VMware Spring Security 安全漏洞 9.1 Critical2023-07-19
CVE-2023-34035 Spring Security 安全漏洞 7.3 High2023-07-18
CVE-2023-20862 Spring Framework 安全漏洞 9.4 -2023-04-19
CVE-2022-31690 VMware Spring Security 安全漏洞 8.1 -2022-10-31
CVE-2022-22976 Spring Framework 输入验证错误漏洞 CWE-190 5.3 -2022-05-19

All 41 known CVE vulnerabilities affecting Spring Security with full Chinese analysis, references, and POCs where available.