CVE-2026-22735 — Vulnetix

CVE-2026-22735 PUBLISHED CVSS 2.5999999046325684 LOW

The VSCode extension for Spring CLI are vulnerable to command injection, resulting in command execution on the users machine.

EPSS 0.09% · 25.9th percentile

Risk Scores

CVSS 3.1

2.5999999046325684

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N

EPSS Score

0.09%

25.9th percentile

Affected Products

Vendor	Product	Versions
Maven	org.springframework:spring-webmvc	6.0.0, 7.0.0-M1, 5.3.0
Spring	CLI VSCode Extension	0.9.0 and older
Spring	Spring Foundation	6.1.0, 6.2.0, 6.1.0
Maven	org.springframework:spring-webflux	7.0.0-M1, 6.0.0, 5.3.0

Exploit Intelligence

https://spring.io/security/cve-2026-22718 (circl)
CIRCL seen: CVE-2026-22718 (circl-sighting)
CIRCL seen: CVE-2026-22718 (circl-sighting)
CIRCL seen: CVE-2026-22718 (circl-sighting)
CIRCL seen: CVE-2026-22718 (circl-sighting)
CIRCL seen: CVE-2026-22735 (circl-sighting)
https://spring.io/security/cve-2026-22735 (circl)
dependency-check-suppress.xml (github-poc)
ReleaseLineDocumentationContractTest.kt (github-poc)
owasp-suppressions-pending.xml (github-poc)

…and 32 more exploits

Timeline

Jan 14, 2026 PoC Published
Jan 14, 2026 PoC Published
Jan 15, 2026 PoC Published
Mar 19, 2026 PoC Published
Mar 19, 2026 CVE Published
Mar 20, 2026 EPSS Score
Mar 21, 2026 EPSS Score
Mar 21, 2026 PoC Published
Mar 22, 2026 EPSS Score
Mar 22, 2026 Security Advisory
Mar 23, 2026 EPSS Score
Mar 24, 2026 EPSS Score

References

…and 32 more

Open in Interactive Console →

$ Console Community · 100/wk Open console ›