CVE-2026-22737

MEDIUM

Spring Framework Improper Path Limitation with Script View Templates

Title source: cna

Description

Use of Java scripting engine enabled (e.g. JRuby, Jython) template views in Spring MVC and Spring WebFlux applications can result in disclosure of content from files outside the configured locations for script template views. This issue affects Spring Framework: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46.

References (1)

Core 1

Core References

https://spring.io/security/cve-2026-22737

Scores

CVSS v3 5.9

EPSS 0.0009

EPSS Percentile 25.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-22

Status published

Products (7)

org.springframework/spring-webflux 7.0.0-M1 - 7.0.6Maven

org.springframework/spring-webmvc 7.0.0-M1 - 7.0.6Maven

Spring/Spring Framework 5.3.0 - 5.3.46

Spring/Spring Framework 6.1.0 - 6.1.25

Spring/Spring Framework 6.2.0 - 6.2.16

Spring/Spring Framework 7.0.0 - 7.0.5

vmware/spring_framework < 5.3.47

Published Mar 20, 2026

Tracked Since Mar 20, 2026