CVE Daily
← All tags

Tag: Spring Framework

All CVEs associated with "Spring Framework". Page 1/1 • 72 CVEs.

About “Spring Framework”

A curated feed of “Spring Framework”-related CVEs appears below. We currently track 72 CVEs for this tag (all time). In the last 365 days, 10 were published. Average CVSS is 6.7 (all time; 6.1 over 365d), and 43% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), CWE-524 - Use of Cache Containing Sensitive Information.

In our taxonomy this topic maps to a LOW impact class. Language runtimes and libraries cascade through dependency graphs. Upgrade runtime and toolchain, pin versions, rebuild images, and enable SAST or DAST and linters. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

Support & lifecycle: spring-framework

This table shows recent release cycles and their projected end-of-life. Data source: endoflife.date.

CycleReleaseLatestExtended SupportEOLLTS
7.07.0.7
6.26.2.18 Soon
6.16.1.21 Expired
6.06.0.23 Expired
5.35.3.39 ExpiredLTS
5.25.2.25 Expired
5.15.1.20 Expired
5.05.0.20Unavailable Expired
4.34.3.30Unavailable Expired
3.23.2.18Unavailable Expired

Maintained Soon (≤ 180 days) Expired

Subscribe lifecycle: RSS  ·  RSS (expired)  ·  ICS

Subscribe CVEs: RSS for “Spring Framework”  ·  RSS (High+Critical only)

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2026-05-30
Medium

CVE-2026-10153

A flaw has been found in westboy CicadasCMS up to 2431154dac8d0735e04f1fd2a3c3556668fc8dab. Impacted is the function Search of the file org/springframework/cache/support/AbstractCacheManager.java. Th…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2026-04-29
Low

CVE-2026-22741

Spring MVC and WebFlux applications are vulnerable to cache poisoning when resolving static resources. More precisely, an application can be vulnerable when all the following are true: * the ap…

CVSS: 3.1 CWE: CWE-524 - Use of Cache Containing Sensitive Information View on NVD
2026-04-10
High

CVE-2026-22750

When configuring SSL bundles in Spring Cloud Gateway by using the configuration property spring.ssl.bundle, the configuration was silently ignored and the default SSL configuration was used instead.…

CVSS: 7.5 CWE: CWE-15 - External Control of System or Configuration Setting View on NVD
2026-03-20
Medium

CVE-2026-22737

Use of Java scripting engine enabled (e.g. JRuby, Jython) template views in Spring MVC and Spring WebFlux applications can result in disclosure of content from files outside the configured locations…

CVSS: 5.9 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2025-10-16
Medium

CVE-2025-41254

STOMP over WebSocket applications may be vulnerable to a security bypass that allows an attacker to send unauthorized messages. Affected Spring Products and VersionsSpring Framework: * 6.2.0 - 6…

CVSS: 4.3 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
2025-10-01
Medium

CVE-2025-11226

ACE vulnerability in conditional configuration file processing by QOS.CH logback-core up to and including version 1.5.18 in Java applications, allows an attacker to execute arbitrary code by comprom…

CVSS: 5.9 CWE: CWE-20 - Improper Input Validation View on NVD
2025-09-16
High

CVE-2025-41249

The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an is…

CVSS: 7.5 CWE: CWE-285 - Improper Authorization View on NVD
2025-09-15
Critical

CVE-2025-58748

Dataease is an open source data analytics and visualization platform. In Dataease versions up to 2.10.12 the H2 data source implementation (H2.java) does not verify that a provided JDBC URL starts wi…

CVSS: 9.8 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD
2025-08-18
Medium

CVE-2025-41242

Spring Framework MVC applications can be vulnerable to a “Path Traversal Vulnerability” when deployed on a non-compliant Servlet container. An application can be vulnerable when all the following ar…

CVSS: 5.9 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2025-06-12
Medium

CVE-2025-41234

Description In Spring Framework, versions 6.0.x as of 6.0.5, versions 6.1.x and 6.2.x, an application is vulnerable to a reflected file download (RFD) attack when it sets a “Content-Disposition” hea…

CVSS: 6.5 CWE: CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') View on NVD
2025-05-16
Low

CVE-2025-22233

CVE-2024-38820 ensured Locale-independent, lowercase conversion for both the configured disallowedFields patterns and for request parameter names. However, there are still cases where it is possible…

CVSS: 3.1 CWE: CWE-20 - Improper Input Validation View on NVD
2024-12-18
High

CVE-2024-55952

DataEase is an open source business analytics tool. Authenticated users can remotely execute code through the backend JDBC connection. When constructing the jdbc connection string, the parameters are…

CVSS: 8.8 CWE: CWE-20 - Improper Input Validation View on NVD
2024-08-20
Medium

CVE-2024-38808

In Spring Framework versions 5.3.0 - 5.3.38 and older unsupported versions, it is possible for a user to provide a specially crafted Spring Expression Language (SpEL) expression that may cause a deni…

CVSS: 4.3 CWE: CWE-770 - Allocation of Resources Without Limits or Throttling View on NVD
2024-03-16
High

CVE-2024-22259

Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be…

CVSS: 8.1 CWE: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect') View on NVD
2024-01-31
Low

CVE-2024-22236

In Spring Cloud Contract, versions 4.1.x prior to 4.1.1, versions 4.0.x prior to 4.0.5, and versions 3.1.x prior to 3.1.10, test execution is vulnerable to local information disclosure via temporary…

CVSS: 3.3 CWE: CWE-732 - Incorrect Permission Assignment for Critical Resource View on NVD
2024-01-22
High

CVE-2024-22233

In Spring Framework versions 6.0.15 and 6.1.2, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Specifically, an application i…

CVSS: 7.5 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
2023-11-28
Medium

CVE-2023-34055

In Spring Boot versions 2.7.0 - 2.7.17, 3.0.0-3.0.12 and 3.1.0-3.1.5, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Specifi…

CVSS: 5.3 CWE: N/A View on NVD
Medium

CVE-2023-34053

In Spring Framework versions 6.0.0 - 6.0.13, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Specifically, an application is…

CVSS: 5.3 CWE: N/A View on NVD
2023-10-31
Critical

CVE-2023-47174

Thorn SFTP gateway 3.4.x before 3.4.4 uses Pivotal Spring Framework for Java deserialization of untrusted data, which is not supported by Pivotal, a related issue to CVE-2016-1000027. Also, within th…

CVSS: 9.8 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD
2023-04-13
Medium

CVE-2023-20863

In spring framework versions prior to 5.2.24 release+ ,5.3.27+ and 6.0.8+ , it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.

CVSS: 6.5 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
2023-03-27
High

CVE-2023-20860

Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25 using "**" as a pattern in Spring Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spr…

CVSS: 7.5 CWE: N/A View on NVD
2023-03-23
Medium

CVE-2023-20861

In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression th…

CVSS: 6.5 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
2022-12-05
High

CVE-2022-43484

TERASOLUNA Global Framework 1.0.0 (Public review version) and TERASOLUNA Server Framework for Java (Rich) 2.0.0.2 to 2.0.5.1 are vulnerable to a ClassLoader manipulation vulnerability due to using th…

CVSS: 7.8 CWE: CWE-20 - Improper Input Validation View on NVD
2022-05-12
Medium

CVE-2022-22971

In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, application with a STOMP over WebSocket endpoint is vulnerable to a denial of service attack by an authenticated…

CVSS: 6.5 CWE: CWE-770 - Allocation of Resources Without Limits or Throttling View on NVD
Medium

CVE-2022-22970

In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a Multipar…

CVSS: 5.3 CWE: CWE-770 - Allocation of Resources Without Limits or Throttling View on NVD
2022-04-14
Medium

CVE-2022-22968

In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectivel…

CVSS: 5.3 CWE: CWE-178 - Improper Handling of Case Sensitivity View on NVD
2022-04-01
Medium

CVE-2022-22950

n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.

CVSS: 6.5 CWE: CWE-770 - Allocation of Resources Without Limits or Throttling View on NVD
2022-03-30
High

CVE-2022-27772

spring-boot versions prior to version v2.2.11.RELEASE was vulnerable to temporary directory hijacking. This vulnerability impacted the org.springframework.boot.web.server.AbstractConfigurableWebServe…

CVSS: 7.8 CWE: CWE-668 - Exposure of Resource to Wrong Sphere View on NVD
2022-01-10
Medium

CVE-2021-22060

In Spring Framework versions 5.3.0 - 5.3.13, 5.2.0 - 5.2.18, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries. Thi…

CVSS: 4.3 CWE: N/A View on NVD
2021-10-28
Medium

CVE-2021-22096

In Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries.

CVSS: 4.3 CWE: CWE-117 - Improper Output Neutralization for Logs View on NVD
2021-08-19
Medium

CVE-2021-32602

An improper neutralization of input during web page generation vulnerability (CWE-79) in FortiPortal GUI 6.0.4 and below, 5.3.6 and below, 5.2.6 and below, 5.1.2 and below, 5.0.3 and below, 4.2.2 and…

CVSS: 5.8 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2021-06-04
High

CVE-2021-29500

bubble fireworks is an open source java package relating to Spring Framework. In bubble fireworks before version 2021.BUILD-SNAPSHOT there is a vulnerability in which the package did not properly ver…

CVSS: 7.5 CWE: CWE-347 - Improper Verification of Cryptographic Signature View on NVD
2021-05-27
High

CVE-2021-22118

In Spring Framework, versions 5.2.x prior to 5.2.15 and versions 5.3.x prior to 5.3.7, a WebFlux application is vulnerable to a privilege escalation: by (re)creating the temporary storage directory,…

CVSS: 7.8 CWE: CWE-269 - Improper Privilege Management View on NVD
2020-09-19
Medium

CVE-2020-5421

In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depe…

CVSS: 6.5 CWE: N/A View on NVD
2020-04-07
High

CVE-2020-11619

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean (aka spring-aop…

CVSS: 8.1 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD
2020-01-17
Medium

CVE-2020-5397

Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CSRF attacks through CORS preflight requests that target Spring MVC (spring-webmvc module) or Spring WebFlux (spring-webflux module)…

CVSS: 5.3 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
High

CVE-2020-5398

In Spring Framework, versions 5.2.x prior to 5.2.3, versions 5.1.x prior to 5.1.13, and versions 5.0.x prior to 5.0.16, an application is vulnerable to a reflected file download (RFD) attack when it…

CVSS: 7.5 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2020-01-10
Medium

CVE-2013-6430

The JavaScriptUtils.javaScriptEscape method in web/util/JavaScriptUtils.java in Spring MVC in Spring Framework before 3.2.2 does not properly escape certain characters, which allows remote attackers…

CVSS: 5.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2020-01-02
Critical

CVE-2016-1000027

Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented with…

CVSS: 9.8 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD
2018-10-18
High

CVE-2018-15756

Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving stati…

CVSS: 7.5 CWE: N/A View on NVD
2018-06-25
High

CVE-2018-11040

Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through…

CVSS: 7.5 CWE: CWE-829 - Inclusion of Functionality from Untrusted Control Sphere View on NVD
Medium

CVE-2018-11039

Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including…

CVSS: 5.9 CWE: N/A View on NVD
2018-05-11
High

CVE-2018-1258

Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unaut…

CVSS: 8.8 CWE: CWE-863 - Incorrect Authorization View on NVD
Medium

CVE-2018-1257

Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory S…

CVSS: 6.5 CWE: N/A View on NVD
2018-04-11
Critical

CVE-2018-1275

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.16 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STO…

CVSS: 9.8 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2018-04-06
High

CVE-2018-1272

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux se…

CVSS: 7.5 CWE: N/A View on NVD
Medium

CVE-2018-1271

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, imag…

CVSS: 5.9 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
Critical

CVE-2018-1270

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STO…

CVSS: 9.8 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2018-03-16
Medium

CVE-2018-1199

Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters…

CVSS: 5.3 CWE: CWE-20 - Improper Input Validation View on NVD
2017-11-27
Critical

CVE-2017-8045

In Pivotal Spring AMQP versions prior to 1.7.4, 1.6.11, and 1.5.7, an org.springframework.amqp.core.Message may be unsafely deserialized when being converted into a string. A malicious payload could…

CVSS: 9.8 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD
High

CVE-2017-8028

In Pivotal Spring-LDAP versions 1.3.0 - 2.3.1, when connected to some LDAP servers, when no additional attributes are bound, and when using LDAP BindAuthenticator with org.springframework.ldap.core.s…

CVSS: 8.1 CWE: CWE-287 - Improper Authentication View on NVD
2017-08-22
High

CVE-2015-5258

Cross-site request forgery (CSRF) vulnerability in springframework-social before 1.1.3.

CVSS: 8.8 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
2017-05-25
High

CVE-2016-5007

Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Diffe…

CVSS: 7.5 CWE: CWE-264 View on NVD
Critical

CVE-2015-5211

Under some situations, the Spring Framework 4.2.0 to 4.2.1, 4.0.0 to 4.1.7, 3.2.0 to 3.2.14 and older unsupported versions is vulnerable to a Reflected File Download (RFD) attack. The attack involves…

CVSS: 9.6 CWE: CWE-552 - Files or Directories Accessible to External Parties View on NVD
High

CVE-2014-0225

When processing user provided XML documents, the Spring Framework 4.0.0 to 4.0.4, 3.0.0 to 3.2.8, and possibly earlier unsupported versions did not disable by default the resolution of URI references…

CVSS: 8.8 CWE: CWE-611 - Improper Restriction of XML External Entity Reference View on NVD
2017-04-21
Critical

CVE-2016-2173

org.springframework.core.serializer.DefaultDeserializer in Spring AMQP before 1.5.5 allows remote attackers to execute arbitrary code.

CVSS: 9.8 CWE: CWE-20 - Improper Input Validation View on NVD
2016-12-29
High

CVE-2016-9878

An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result expose…

CVSS: 7.5 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2016-07-21
High

CVE-2016-0635

Unspecified vulnerability in the Enterprise Manager Ops Center component in Oracle Enterprise Manager Grid Control 12.1.4, 12.2.2, and 12.3.2; the Oracle Health Sciences Information Manager component…

CVSS: 8.8 CWE: N/A View on NVD
2016-07-12
Medium

CVE-2015-3192

Pivotal Spring Framework before 3.2.14 and 4.x before 4.1.7 do not properly process inline DTD declarations when DTD is not entirely disabled, which allows remote attackers to cause a denial of servi…

CVSS: 5.5 CWE: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer View on NVD
2015-03-10
Medium

CVE-2015-0201

The Java SockJS client in Pivotal Spring Framework 4.1.x before 4.1.5 generates predictable session ids, which allows remote attackers to send messages to other sessions via unspecified vectors.

CVSS: 5.0 CWE: CWE-254 View on NVD
2015-02-19
Medium

CVE-2014-3578

Directory traversal vulnerability in Pivotal Spring Framework 3.x before 3.2.9 and 4.0 before 4.0.5 allows remote attackers to read arbitrary files via a crafted URL.

CVSS: 5.0 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2014-11-20
Medium

CVE-2014-3625

Directory traversal vulnerability in Pivotal Spring Framework 3.0.4 through 3.2.x before 3.2.12, 4.0.x before 4.0.8, and 4.1.x before 4.1.2 allows remote attackers to read arbitrary files via unspeci…

CVSS: 5.0 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2014-04-17
Medium

CVE-2014-0054

The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbit…

CVSS: 6.8 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
2014-03-20
Medium

CVE-2014-1904

Cross-site scripting (XSS) vulnerability in web/servlet/tags/form/FormTag.java in Spring MVC in Spring Framework 3.0.0 before 3.2.8 and 4.0.0 before 4.0.2 allows remote attackers to inject arbitrary…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2014-01-26
Medium

CVE-2013-6429

The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitra…

CVSS: 6.8 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
2014-01-23
Medium

CVE-2013-7315

The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to rea…

CVSS: 6.8 CWE: CWE-264 View on NVD
Medium

CVE-2013-4152

The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary fi…

CVSS: 6.8 CWE: CWE-264 View on NVD
2012-12-05
High

CVE-2011-2730

VMware SpringSource Spring Framework before 2.5.6.SEC03, 2.5.7.SR023, and 3.x before 3.0.6, when a container supports Expression Language (EL), evaluates EL expressions in tags twice, which allows re…

CVSS: 7.5 CWE: CWE-16 View on NVD
2012-01-29
Medium

CVE-2012-0936

Cross-site scripting (XSS) vulnerability in web/springframework/security/SecurityAuthenticationEventOnmsEventBuilder.java in OpenNMS 1.8.x before 1.8.17, 1.9.93 and earlier, and 1.10.x before 1.10.1…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2011-10-04
Medium

CVE-2011-2894

Spring Framework 3.0.0 through 3.0.5, Spring Security 3.0.0 through 3.0.5 and 2.0.0 through 2.0.6, and possibly other versions deserialize objects from untrusted sources, which allows remote attacker…

CVSS: 6.8 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD
2010-06-21
Medium

CVE-2010-1622

SpringSource Spring Framework 2.5.x before 2.5.6.SEC02, 2.5.7 before 2.5.7.SR01, and 3.0.x before 3.0.3 allows remote attackers to execute arbitrary code via an HTTP request containing class.classLoa…

CVSS: 6.0 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2009-04-27
Medium

CVE-2009-1190

Algorithmic complexity vulnerability in the java.util.regex.Pattern.compile method in Sun Java Development Kit (JDK) before 1.6, when used with spring.jar in SpringSource Spring Framework 1.1.0 throu…

CVSS: 5.0 CWE: CWE-399 View on NVD
CVE Daily Lookup — auto-links CVE IDs on any page you visit. GitHub, Jira, Confluence & more. Free.
Chrome Firefox