CVE Daily
← All tags

Tag: Spring Boot

All CVEs associated with "Spring Boot". Page 1/1 • 92 CVEs.

About “Spring Boot”

A curated feed of “Spring Boot”-related CVEs appears below. We currently track 92 CVEs for this tag (all time). In the last 365 days, 28 were published. Average CVSS is 6.4 (all time; 6.3 over 365d), and 42% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), CWE-295 - Improper Certificate Validation, CWE-266 - Incorrect Privilege Assignment.

In our taxonomy this topic maps to a LOW impact class. Language runtimes and libraries cascade through dependency graphs. Upgrade runtime and toolchain, pin versions, rebuild images, and enable SAST or DAST and linters. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

Support & lifecycle: spring-boot

This table shows recent release cycles and their projected end-of-life. Data source: endoflife.date.

CycleReleaseLatestExtended SupportEOLLTS
4.04.0.6
3.53.5.14 Soon
3.43.4.13 Expired
3.33.3.13 Expired
3.23.2.12 Expired
3.13.1.12 Expired
3.03.0.13 Expired
2.72.7.18 Expired
2.62.6.15 Expired
2.52.5.15 Expired
2.42.4.13 Expired
2.32.3.12 Expired
2.22.2.13 Expired
2.12.1.18 Expired
2.02.0.9 Expired
1.51.5.22 Expired

Maintained Soon (≤ 180 days) Expired

Subscribe lifecycle: RSS  ·  RSS (expired)  ·  ICS

Subscribe CVEs: RSS for “Spring Boot”  ·  RSS (High+Critical only)

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2026-05-30
Medium

CVE-2026-10152

A vulnerability was detected in TaleLin lin-cms-spring-boot up to 0.2.1. This issue affects some unknown processing of the file src/main/java/io/github/talelin/latticy/controller/v1/BookController.ja…

CVSS: 6.3 CWE: CWE-266 - Incorrect Privilege Assignment View on NVD
2026-05-24
Low

CVE-2026-9370

A weakness has been identified in ulisesbocchio jasypt-spring-boot up to 3.0.5/4.0.4. Affected by this vulnerability is the function getSecretKeySaltGenerator of the file jasypt-spring-boot/src/main/…

CVSS: 3.7 CWE: CWE-759 - Use of a One-Way Hash without a Salt View on NVD
2026-05-14
Medium

CVE-2026-44308

Spring Cloud AWS simplifies using AWS managed services in a Spring and Spring Boot applications. From 3.0.0 to 4.0.1, pplications using Spring Cloud AWS SNS HTTP/HTTPS endpoint support (@Notification…

CVSS: 6.3 CWE: CWE-345 - Insufficient Verification of Data Authenticity View on NVD
2026-05-12
Critical

CVE-2026-45091

sealed-env is a cross-stack, zero-trust secret management library for Node.js and Java/Spring Boot. In sealed-env enterprise mode, versions 0.1.0-alpha.1 through 0.1.0-alpha.3 embedded the operator's…

CVSS: 9.1 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2026-05-03
Low

CVE-2026-7677

A vulnerability was determined in kerwincui FastBee up to 1.2.1. The impacted element is the function Add of the file springboot/fastbee-admin/src/main/java/com/fastbee/web/controller/system/SysNotic…

CVSS: 3.5 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2026-7676

A vulnerability was found in kerwincui FastBee up to 1.2.1. The affected element is the function ToolController.download of the file springboot/fastbee-open-api/src/main/java/com/fastbee/data/control…

CVSS: 4.3 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2026-04-28
Medium

CVE-2026-40977

When an application is configured to use `ApplicationPidFileWriter`, a local attacker with write access to the PID file's location can corrupt one file on the host each time the application is starte…

CVSS: 4.7 CWE: CWE-59 - Improper Link Resolution Before File Access ('Link Following') View on NVD
Critical

CVE-2026-40976

In certain circumstances, Spring Boot's default web security is ineffective allowing unauthorized access to all endpoints. For an application to be vulnerable, it must: be a servlet-based web applica…

CVSS: 9.1 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2026-40975

Values produced by ${random.value} are not suitable for use as secrets. ${random.uuid} is not affected. ${random.int} and ${random.long} should never be used for secrets as they are numeric values wi…

CVSS: 4.8 CWE: CWE-330 - Use of Insufficiently Random Values View on NVD
Medium

CVE-2026-40974

Spring Boot's Cassandra auto-configuration does not perform hostname verification when establishing an SSL connection to Cassandra. Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3…

CVSS: 5.0 CWE: CWE-295 - Improper Certificate Validation View on NVD
High

CVE-2026-40973

A local attacker on the same host as the application may be able to take control of the directory used by `ApplicationTemp`. When `server.servlet.session.persistent` is set to `true` and the attack p…

CVSS: 7.0 CWE: CWE-377 - Insecure Temporary File View on NVD
High

CVE-2026-40972

An attacker on the same network as the remote application may be able to utilize a timing attack to discover information about the remote secret. In extreme circumstances this could result in the att…

CVSS: 7.5 CWE: CWE-208 - Observable Timing Discrepancy View on NVD
2026-04-27
Medium

CVE-2026-40971

When configured to use an SSL bundle, Spring Boot's RabbitMQ auto-configuration does not perform hostname verification when connecting to the RabbitMQ broker. Affected: Spring Boot 4.0.0–4.0.5 (fix…

CVSS: 5.0 CWE: CWE-295 - Improper Certificate Validation View on NVD
Medium

CVE-2026-40970

When configured to use an SSL bundle, Spring Boot's Elasticsearch auto-configuration does not perform hostname verification when connecting to the Elasticsearch server. Affected: Spring Boot 4.0.0–4…

CVSS: 5.0 CWE: CWE-295 - Improper Certificate Validation View on NVD
2026-03-20
High

CVE-2026-22733

Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under the path used by the C…

CVSS: 8.2 CWE: CWE-288 - Authentication Bypass Using an Alternate Path or Channel View on NVD
2026-03-19
High

CVE-2026-22731

Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under a specific path, alrea…

CVSS: 8.2 CWE: CWE-288 - Authentication Bypass Using an Alternate Path or Channel View on NVD
2026-01-01
High

CVE-2026-21428

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.30.0, the ``write_headers`` function does not check for CR & LF characters in user supplied header…

CVSS: 7.5 CWE: CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection') View on NVD
2025-12-30
Medium

CVE-2025-15251

A vulnerability was detected in beecue FastBee up to 2.1. Impacted is the function getRootElement of the file springboot/fastbee-server/sip-server/src/main/java/com/fastbee/sip/handler/req/ReqAbstrac…

CVSS: 5.6 CWE: CWE-610 - Externally Controlled Reference to a Resource in Another Sphere View on NVD
2025-12-04
High

CVE-2025-55948

This vulnerability fundamentally arises from yzcheng90 X-SpringBoot 6.0's implementation of role-based access control (RBAC) through dual dependency on frontend menu systems and backend permission ta…

CVSS: 7.3 CWE: CWE-266 - Incorrect Privilege Assignment View on NVD
2025-10-28
High

CVE-2025-60354

Unauthorized modification of arbitrary articles vulnerability exists in blog-vue-springboot.

CVSS: 7.5 CWE: CWE-284 - Improper Access Control View on NVD
2025-09-16
Critical

CVE-2025-41243

Spring Cloud Gateway Server Webflux may be vulnerable to Spring Environment property modification. An application should be considered vulnerable when all the following are true: * The applicati…

CVSS: 10.0 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2025-08-22
High

CVE-2024-48988

SQL Injection vulnerability in Apache StreamPark. This issue affects Apache StreamPark: from 2.1.4 before 2.1.6. Users are recommended to upgrade to version 2.1.6, which fixes the issue. This vul…

CVSS: 7.6 CWE: CWE-564 - SQL Injection: Hibernate View on NVD
2025-08-04
Medium

CVE-2025-8525

A vulnerability was found in Exrick xboot up to 3.3.4. It has been classified as problematic. This affects an unknown part of the component Spring Boot Admin/Spring Actuator. The manipulation leads t…

CVSS: 5.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2025-07-12
Medium

CVE-2025-7488

A vulnerability has been found in JoeyBling SpringBoot_MyBatisPlus up to a6a825513bd688f717dbae3a196bc9c9622fea26 and classified as critical. This vulnerability affects the function Download of the f…

CVSS: 4.3 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
Medium

CVE-2025-7487

A vulnerability, which was classified as critical, was found in JoeyBling SpringBoot_MyBatisPlus up to a6a825513bd688f717dbae3a196bc9c9622fea26. This affects the function SysFileController of the fil…

CVSS: 6.3 CWE: CWE-284 - Improper Access Control View on NVD
2025-07-04
Medium

CVE-2025-53602

Zipkin through 3.5.1 has a /heapdump endpoint (associated with the use of Spring Boot Actuator), a similar issue to CVE-2025-48927.

CVSS: 5.3 CWE: CWE-1188 - Initialization of a Resource with an Insecure Default View on NVD
2025-06-26
Medium

CVE-2025-6731

A vulnerability was found in yzcheng90 X-SpringBoot up to 5.0 and classified as critical. Affected by this issue is the function uploadApk of the file /sys/oss/upload/apk of the component APK File Ha…

CVSS: 6.3 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2025-06-16
Medium

CVE-2025-6108

A vulnerability was found in hansonwang99 Spring-Boot-In-Action up to 807fd37643aa774b94fd004cc3adbd29ca17e9aa. It has been declared as critical. Affected by this vulnerability is the function waterm…

CVSS: 6.3 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2025-05-28
Medium

CVE-2025-48927

The TeleMessage service through 2025-05-05 configures Spring Boot Actuator with an exposed heap dump endpoint at a /heapdump URI, as exploited in the wild in May 2025.

CVSS: 5.3 CWE: CWE-1188 - Initialization of a Resource with an Insecure Default View on NVD
2025-05-21
High

CVE-2025-46822

OsamaTaher/Java-springboot-codebase is a collection of Java and Spring Boot code snippets, applications, and projects. Prior to commit c835c6f7799eacada4c0fc77e0816f250af01ad2, insufficient path trav…

CVSS: 7.7 CWE: CWE-36 - Absolute Path Traversal View on NVD
2025-05-10
Medium

CVE-2025-4511

A vulnerability was found in vector4wang spring-boot-quick up to 20250422. It has been rated as critical. This issue affects the function ResponseEntity of the file /spring-boot-quick-master/quick-im…

CVSS: 6.3 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2025-05-05
Medium

CVE-2025-45618

Incorrect access control in the component /admin/sys/datasource/ajaxList of jeeweb-mybatis-springboot v0.0.1.RELEASE allows attackers to access sensitive information via a crafted payload.

CVSS: 6.5 CWE: CWE-284 - Improper Access Control View on NVD
2025-05-01
Medium

CVE-2025-4175

A vulnerability, which was classified as critical, was found in AlanBinu007 Spring-Boot-Advanced-Projects up to 3.1.3. This affects the function uploadUserProfileImage of the file /Spring-Boot-Advanc…

CVSS: 6.3 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2025-04-27
Medium

CVE-2025-3957

A vulnerability was found in opplus springboot-admin 1.0 and classified as critical. This issue affects some unknown processing of the file \src\main\resources\mapper\sys\SysLogDao.xml. The manipulat…

CVSS: 6.3 CWE: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') View on NVD
2025-04-22
Medium

CVE-2025-32952

Jmix is a set of libraries and tools to speed up Spring Boot data-centric application development. In versions 1.0.0 to 1.6.1 and 2.0.0 to 2.3.4, the local file storage implementation does not restri…

CVSS: 6.5 CWE: CWE-770 - Allocation of Resources Without Limits or Throttling View on NVD
Medium

CVE-2025-32951

Jmix is a set of libraries and tools to speed up Spring Boot data-centric application development. In versions 1.0.0 to 1.6.1 and 2.0.0 to 2.3.4, the input parameter, which consists of a file path an…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2025-32950

Jmix is a set of libraries and tools to speed up Spring Boot data-centric application development. In versions 1.0.0 to 1.6.1 and 2.0.0 to 2.3.4, attackers could manipulate the FileRef parameter to a…

CVSS: 6.5 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
Low

CVE-2025-3850

A vulnerability, which was classified as problematic, has been found in YXJ2018 SpringBoot-Vue-OnlineExam 1.0. This issue affects some unknown processing of the component API. The manipulation leads…

CVSS: 3.7 CWE: CWE-287 - Improper Authentication View on NVD
Medium

CVE-2025-3849

A vulnerability classified as problematic was found in YXJ2018 SpringBoot-Vue-OnlineExam 1.0. This vulnerability affects unknown code of the file /api/studentPWD. The manipulation of the argument stu…

CVSS: 4.3 CWE: CWE-620 - Unverified Password Change View on NVD
2025-04-08
Medium

CVE-2025-3413

A vulnerability has been found in opplus springboot-admin up to a2d5310f44fd46780a8686456cf2f9001ab8f024 and classified as critical. Affected by this vulnerability is the function code of the file Sy…

CVSS: 6.3 CWE: CWE-20 - Improper Input Validation View on NVD
Low

CVE-2025-3393

A vulnerability was found in mrcen springboot-ucan-admin up to 5f35162032cbe9288a04e429ef35301545143509. It has been classified as problematic. This affects an unknown part of the file /ucan-admin/in…

CVSS: 3.5 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2025-03-15
Medium

CVE-2025-2334

A vulnerability classified as problematic has been found in 274056675 springboot-openai-chatgpt e84f6f5. This affects the function deleteChat of the file /api/mjkj-chat/chat/ai/delete/chat of the com…

CVSS: 5.4 CWE: CWE-266 - Incorrect Privilege Assignment View on NVD
Medium

CVE-2025-2323

A vulnerability was found in 274056675 springboot-openai-chatgpt e84f6f5. It has been declared as problematic. This vulnerability affects the function updateQuestionCou of the file /api/mjkj-chat/cha…

CVSS: 4.3 CWE: CWE-840 View on NVD
High

CVE-2025-2322

A vulnerability was found in 274056675 springboot-openai-chatgpt e84f6f5. It has been classified as critical. This affects an unknown part of the file /chatgpt-boot/src/main/java/org/springblade/modu…

CVSS: 7.3 CWE: CWE-259 - Use of Hard-coded Password View on NVD
Medium

CVE-2025-2321

A vulnerability was found in 274056675 springboot-openai-chatgpt e84f6f5 and classified as critical. Affected by this issue is some unknown functionality of the file /api/mjkj-chat/cgform-api/addData…

CVSS: 6.3 CWE: CWE-840 View on NVD
2025-03-14
High

CVE-2025-2320

A vulnerability has been found in 274056675 springboot-openai-chatgpt e84f6f5 and classified as critical. Affected by this vulnerability is the function submit of the file /api/blade-user/submit of t…

CVSS: 7.3 CWE: CWE-266 - Incorrect Privilege Assignment View on NVD
2025-03-11
Low

CVE-2025-2211

A vulnerability was found in aitangbao springboot-manager 3.0 and classified as problematic. Affected by this issue is some unknown functionality of the file /sysDictDetail/add. The manipulation of t…

CVSS: 2.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Low

CVE-2025-2210

A vulnerability has been found in aitangbao springboot-manager 3.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /sysJob/add. The manipulation…

CVSS: 2.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Low

CVE-2025-2209

A vulnerability, which was classified as problematic, was found in aitangbao springboot-manager 3.0. Affected is an unknown function of the file /sysDict/add. The manipulation of the argument name le…

CVSS: 2.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Low

CVE-2025-2208

A vulnerability, which was classified as problematic, has been found in aitangbao springboot-manager 3.0. This issue affects some unknown processing of the file /sysFiles/upload of the component File…

CVSS: 2.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Low

CVE-2025-2207

A vulnerability classified as problematic was found in aitangbao springboot-manager 3.0. This vulnerability affects unknown code of the file /sys/dept. The manipulation of the argument name leads to…

CVSS: 2.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Low

CVE-2025-2206

A vulnerability classified as problematic has been found in aitangbao springboot-manager 3.0. This affects an unknown part of the file /sys/permission. The manipulation of the argument name leads to…

CVSS: 2.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2025-01-09
Low

CVE-2024-13202

A vulnerability was found in wander-chu SpringBoot-Blog 1.0 and classified as problematic. This issue affects the function modifiyArticle of the file src/main/java/com/my/blog/website/controller/admi…

CVSS: 2.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2024-13201

A vulnerability has been found in wander-chu SpringBoot-Blog 1.0 and classified as critical. This vulnerability affects the function upload of the file src/main/java/com/my/blog/website/controller/ad…

CVSS: 4.7 CWE: CWE-284 - Improper Access Control View on NVD
High

CVE-2024-13200

A vulnerability, which was classified as critical, was found in wander-chu SpringBoot-Blog 1.0. This affects the function preHandle of the file src/main/java/com/my/blog/website/interceptor/BaseInter…

CVSS: 7.3 CWE: CWE-266 - Incorrect Privilege Assignment View on NVD
2024-11-14
High

CVE-2024-52302

common-user-management is a robust Spring Boot application featuring user management services designed to control user access dynamically. There is a critical security vulnerability in the applicatio…

CVSS: 8.7 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
2024-08-23
Medium

CVE-2024-38807

Applications that use spring-boot-loader or spring-boot-loader-classic and contain custom code that performs signature verification of nested jar files may be vulnerable to signature forgery where co…

CVSS: 6.3 CWE: CWE-290 - Authentication Bypass by Spoofing View on NVD
2024-07-19
High

CVE-2024-41600

Insecure Permissions vulnerability in lin-CMS Springboot v.0.2.1 and before allows a remote attacker to obtain sensitive information via the login method in the UserController.java component.

CVSS: 7.5 CWE: CWE-284 - Improper Access Control View on NVD
2024-04-30
High

CVE-2024-29466

Directory Traversal vulnerability in lsgwr spring boot online exam v.0.9 allows an attacker to execute arbitrary code via the FileTransUtil.java component.

CVSS: 8.8 CWE: CWE-26 - Path Traversal: '/dir/../filename' View on NVD
2024-02-01
Medium

CVE-2024-24062

springboot-manager v1.6 is vulnerable to Cross Site Scripting (XSS) via /sys/role.

CVSS: 5.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2024-24061

springboot-manager v1.6 is vulnerable to Cross Site Scripting (XSS) via /sysContent/add.

CVSS: 5.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2024-24060

springboot-manager v1.6 is vulnerable to Cross Site Scripting (XSS) via /sys/user.

CVSS: 5.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2024-24059

springboot-manager v1.6 is vulnerable to Arbitrary File Upload. The system does not filter the suffixes of uploaded files.

CVSS: 5.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2024-01-22
High

CVE-2024-22233

In Spring Framework versions 6.0.15 and 6.1.2, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Specifically, an application i…

CVSS: 7.5 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
2023-12-22
High

CVE-2023-51650

Hertzbeat is an open source, real-time monitoring system. Prior to version 1.4.1, Spring Boot permission configuration issues caused unauthorized access vulnerabilities to three interfaces. This coul…

CVSS: 7.5 CWE: CWE-862 - Missing Authorization View on NVD
2023-11-28
Medium

CVE-2023-34055

In Spring Boot versions 2.7.0 - 2.7.17, 3.0.0-3.0.12 and 3.1.0-3.1.5, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Specifi…

CVSS: 5.3 CWE: N/A View on NVD
Medium

CVE-2023-34053

In Spring Framework versions 6.0.0 - 6.0.13, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Specifically, an application is…

CVSS: 5.3 CWE: N/A View on NVD
2023-07-14
High

CVE-2023-38286

Thymeleaf through 3.1.1.RELEASE, as used in spring-boot-admin (aka Spring Boot Admin) through 3.1.1 and other products, allows sandbox bypass via crafted HTML. This may be relevant for SSTI (Server S…

CVSS: 7.5 CWE: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection') View on NVD
2023-05-26
High

CVE-2023-20883

In Spring Boot versions 3.0.0 - 3.0.6, 2.7.0 - 2.7.11, 2.6.0 - 2.6.14, 2.5.0 - 2.5.14 and older unsupported versions, there is potential for a denial-of-service (DoS) attack if Spring MVC is used tog…

CVSS: 7.5 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
2023-05-11
Medium

CVE-2023-29986

spring-boot-actuator-logview 0.2.13 allows Directory Traversal to sibling directories via LogViewEndpoint.view.

CVSS: 5.3 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2023-04-20
Critical

CVE-2023-20873

In Spring Boot versions 3.0.0 - 3.0.5, 2.7.0 - 2.7.10, and older unsupported versions, an application that is deployed to Cloud Foundry could be susceptible to a security bypass. Users of affected ve…

CVSS: 9.8 CWE: N/A View on NVD
2023-01-14
High

CVE-2023-22602

When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass. The authentication bypass occurs when Shiro and Spring Boot…

CVSS: 7.5 CWE: CWE-436 - Interpretation Conflict View on NVD
2022-12-09
High

CVE-2022-46166

Spring boot admins is an open source administrative user interface for management of spring boot applications. All users who run Spring Boot Admin Server, having enabled Notifiers (e.g. Teams-Notifie…

CVSS: 8.0 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2022-11-04
Critical

CVE-2022-31691

Spring Tools 4 for Eclipse version 4.16.0 and below as well as VSCode extensions such as Spring Boot Tools, Concourse CI Pipeline Editor, Bosh Editor and Cloudfoundry Manifest YML Support version 1.3…

CVSS: 9.8 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2022-09-30
Medium

CVE-2022-23726

PingCentral versions prior to listed versions expose Spring Boot actuator endpoints that with administrative authentication return large amounts of sensitive environmental and application information.

CVSS: 5.4 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2022-07-21
High

CVE-2022-32430

An access control issue in Lin CMS Spring Boot v0.2.1 allows attackers to access the backend information and functions within the application.

CVSS: 7.5 CWE: N/A View on NVD
2022-04-01
Critical

CVE-2022-22965

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR…

CVSS: 9.8 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2022-03-30
High

CVE-2022-27772

spring-boot versions prior to version v2.2.11.RELEASE was vulnerable to temporary directory hijacking. This vulnerability impacted the org.springframework.boot.web.server.AbstractConfigurableWebServe…

CVSS: 7.8 CWE: CWE-668 - Exposure of Resource to Wrong Sphere View on NVD
2021-12-13
Critical

CVE-2021-39052

IBM Spectrum Copy Data Management 2.2.13 and earlier could allow a remote attacker to access the Spring Boot console without authorization. IBM X-Force ID: 214523.

CVSS: 9.8 CWE: N/A View on NVD
2021-11-19
High

CVE-2021-22053

Applications using both `spring-cloud-netflix-hystrix-dashboard` and `spring-boot-starter-thymeleaf` expose a way to execute code submitted within the request URI path during the resolution of view t…

CVSS: 8.8 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2021-09-17
Critical

CVE-2021-41303

Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass. Users should update to Apache Shiro 1.8.0.

CVSS: 9.8 CWE: CWE-287 - Improper Authentication View on NVD
2021-08-26
Medium

CVE-2020-19704

A stored cross-site scripting (XSS) vulnerability via ResourceController.java in spring-boot-admin as of 20190710 allows attackers to execute arbitrary web scripts or HTML.

CVSS: 5.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2021-05-10
High

CVE-2021-26077

Broken Authentication in Atlassian Connect Spring Boot (ACSB) in version 1.1.0 before 2.1.3 and from version 2.1.4 before 2.1.5: Atlassian Connect Spring Boot is a Java Spring Boot package for buildi…

CVSS: 8.8 CWE: CWE-287 - Improper Authentication View on NVD
2021-04-16
Medium

CVE-2021-26074

Broken Authentication in Atlassian Connect Spring Boot (ACSB) from version 1.1.0 before version 2.1.3: Atlassian Connect Spring Boot is a Java Spring Boot package for building Atlassian Connect apps.…

CVSS: 6.5 CWE: CWE-287 - Improper Authentication View on NVD
2021-03-15
Critical

CVE-2021-26987

Element Plug-in for vCenter Server incorporates SpringBoot Framework. SpringBoot Framework versions prior to 1.3.2 are susceptible to a vulnerability which when successfully exploited could lead to R…

CVSS: 9.8 CWE: N/A View on NVD
2021-01-05
High

CVE-2021-21234

spring-boot-actuator-logview in a library that adds a simple logfile viewer as spring boot actuator endpoint. It is maven package "eu.hinsch:spring-boot-actuator-logview". In spring-boot-actuator-log…

CVSS: 7.7 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2019-07-03
Critical

CVE-2019-9186

In several JetBrains IntelliJ IDEA versions, a Spring Boot run configuration with the default setting allowed remote attackers to execute code when the configuration is running, because a JMX server…

CVSS: 9.8 CWE: CWE-668 - Exposure of Resource to Wrong Sphere View on NVD
2018-10-18
High

CVE-2018-15756

Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving stati…

CVSS: 7.5 CWE: N/A View on NVD
2018-09-23
Medium

CVE-2018-17369

An issue was discovered in springboot_authority through 2017-03-06. There is stored XSS via the admin/role/edit roleKey, name, or description parameter.

CVSS: 4.8 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2018-06-25
High

CVE-2018-11040

Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through…

CVSS: 7.5 CWE: CWE-829 - Inclusion of Functionality from Untrusted Control Sphere View on NVD
2018-03-19
Medium

CVE-2018-1196

Spring Boot supports an embedded launch script that can be used to easily run the application as a systemd or init.d linux service. The script included with Spring Boot 1.5.9 and earlier and 2.0.0.M1…

CVSS: 5.9 CWE: CWE-59 - Improper Link Resolution Before File Access ('Link Following') View on NVD
2018-01-04
Critical

CVE-2017-8046

Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) and Spring Boot versions prior to 1.5.9, 2.0 M6 can use s…

CVSS: 9.8 CWE: CWE-20 - Improper Input Validation View on NVD
CVE Daily Lookup — auto-links CVE IDs on any page you visit. GitHub, Jira, Confluence & more. Free.
Chrome Firefox