VDB
DEBIAN-CVE-2026-22737
DEBIAN-CVE-2026-22737
PUBLISHED
CVSS 5.900000095367432 MEDIUM
Use of Java scripting engine enabled (e.g. JRuby, Jython) template views in Spring MVC and Spring WebFlux applications can result in disclosure of content from files outside the configured locations for script template views. This issue affects Spring Framework: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46.
Risk Scores
CVSS v3.1
5.900000095367432
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian:13 | libspring-java | 0, 4.3.30-4, 4.3.30-3 |
| Debian:11 | libspring-java | 4.3.30-1, 0, 4.3.30-2 |
| Debian:12 | libspring-java | 4.3.30-2, 4.3.30-3, 4.3.30-4 |
| Debian:14 | libspring-java | 0, 4.3.30-3, 4.3.30-4 |
Timeline
- Mar 20, 2026 CVE Published
- Apr 28, 2026 CVE Updated