CVE-2026-22735

LOW

Server Sent Event stream corruption

Title source: cna

Description

Spring MVC and WebFlux applications are vulnerable to stream corruption when using Server-Sent Events (SSE). This issue affects Spring Foundation: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46.

References (1)

https://spring.io/security/cve-2026-22735

Scores

CVSS v3 2.6

EPSS 0.0009

EPSS Percentile 25.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-667

Status published

Products (7)

org.springframework/spring-webflux 7.0.0-M1 - 7.0.6Maven

org.springframework/spring-webmvc 7.0.0-M1 - 7.0.6Maven

Spring/Spring Foundation 5.3.0 - 5.3.46

Spring/Spring Foundation 6.1.0 - 6.1.25

Spring/Spring Foundation 6.2.0 - 6.2.16

Spring/Spring Foundation 7.0.0 - 7.0.5

vmware/spring_framework < 5.3.47

Published Mar 20, 2026

Tracked Since Mar 20, 2026