spring — Vulnerabilities & Security Advisories 72

Browse all 72 CVE security advisories affecting spring. AI-powered Chinese analysis, POCs, and references for each vulnerability.

CVE ID	Title	CVSS	Severity	Published
CVE-2026-40969	Spring gRPC AuthenticationException message reflected to remote client — Spring gRPCCWE-209	3.7	Low	2026-04-28
CVE-2026-40968	Spring gRPC SecurityContext leaks across requests on authorization failure — Spring gRPCCWE-653	4.3	Medium	2026-04-28
CVE-2026-40980	Spring AI<1.0.6/1.1.5 PDF内存耗尽漏洞 — Spring AICWE-400	6.5	Medium	2026-04-28
CVE-2026-40979	Spring AI <1.0.6/1.1.5 共享环境暴露ONNX模型漏洞 — Spring AICWE-377	6.1	Medium	2026-04-28
CVE-2026-40978	Spring AI CosmosDBVectorStore SQL注入漏洞 — Spring AICWE-89	8.8	High	2026-04-28
CVE-2026-40967	Spring AI 1.0.x/1.1.x 过滤器表达式注入漏洞 — Spring AICWE-94	8.6	High	2026-04-28
CVE-2026-40977	Spring Boot ApplicationPidFileWriter导致文件损坏 — Spring BootCWE-59	4.7	Medium	2026-04-27
CVE-2026-40976	Spring Boot 4.0.0-4.0.5 默认Web安全失效漏洞 — Spring BootCWE-862	9.1	Critical	2026-04-27
CVE-2026-40975	Spring Boot弱随机数漏洞致密钥泄露 — Spring BootCWE-330	4.8	Medium	2026-04-27
CVE-2026-40974	Spring Boot Cassandra SSL自动配置缺失主机名验证 — Spring BootCWE-295	5.0	Medium	2026-04-27
CVE-2026-40973	Spring Boot应用临时目录权限绕过致会话劫持 — Spring BootCWE-377	7.0	High	2026-04-27
CVE-2026-40972	Spring Boot DevTools 定时攻击漏洞 — Spring BootCWE-208	7.5	High	2026-04-27
CVE-2026-40971	Spring Boot 3.5-4.0 RabbitMQ自动配置SSL主机名验证缺失 — Spring BootCWE-295	5.0	Medium	2026-04-27
CVE-2026-40970	Spring Boot 4.0.x Elasticsearch主机名验证绕过 — Spring BootCWE-295	5.0	Medium	2026-04-27
CVE-2026-22754	ervlet Path Not Correctly Included in Path Matching of XML Authorization Rules — Spring Security	7.5	High	2026-04-22
CVE-2026-22753	Servlet Path Not Correctly Included in Path Matching of HttpSecurity#securityMatchers — Spring Security	7.5	High	2026-04-22
CVE-2026-22748	Potential Security Misconfiguration when Using withIssuerLocation — Spring Security	5.3	Medium	2026-04-22
CVE-2026-22747	Unauthorized User Impersonation when Using X.509 Client Certificates — Spring Security	6.8	Medium	2026-04-22
CVE-2026-22746	User Attribute Enumeration when Using DaoAuthenticationProvider — Spring Security	3.7	Low	2026-04-22
CVE-2026-22751	Spring Security JdbcOneTimeTokenService allows a one-time token to authenticate multiple sessions — Spring Security	4.8	Medium	2026-04-21
CVE-2026-22744	VMware Spring AI 安全漏洞 — Spring AI	7.5	High	2026-03-27
CVE-2026-22743	Server-Side Request Forgery via Filter Expression Keys in Neo4jVectorStore — Spring AI	7.5	High	2026-03-27
CVE-2026-22742	Server-Side Request Forgery in BedrockProxyChatModel via Unvalidated Media URL Fetching — Spring AI	8.6	High	2026-03-27
CVE-2026-22738	SpEL Injection via Unescaped Filter Key in SimpleVectorStore Leads to Remote Code Execution — Spring AI	9.8	Critical	2026-03-27
CVE-2026-22739	Spring Cloud Config Profile Substitution Can Allow Unintended Access To Files And Enable SSRF Attacks — Spring Cloud	8.6	High	2026-03-24
CVE-2026-22737	Spring Framework Improper Path Limitation with Script View Templates — Spring Framework	5.9	Medium	2026-03-19
CVE-2026-22735	Server Sent Event stream corruption — Spring Foundation	2.6	Low	2026-03-19
CVE-2026-22733	Authentication Bypass under Actuator CloudFoundry endpoints — Spring SecurityCWE-288	8.2	High	2026-03-19
CVE-2026-22731	Authentication Bypass under Actuator Health groups paths — Spring BootCWE-288	8.2	High	2026-03-19
CVE-2025-22234	Spring Security - BCrypt Password Encoder maximum password length breaks timing attack mitigation — Spring SecurityCWE-208	5.3	Medium	2026-01-22

This page lists every published CVE security advisory associated with spring. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.

Goal Reached Thanks to every supporter — we hit 100%!

spring — Vulnerabilities & Security Advisories 72