CVE-2026-22737
Received Received - Intake

Information Disclosure via Java Scripting in Spring Framework Templates

Vulnerability report for CVE-2026-22737, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-03-20

Last updated on: 2026-04-23

Assigner: VMware

Description

Use of Java scripting engine enabled (e.g. JRuby, Jython) template views in Spring MVC and Spring WebFlux applications can result in disclosure of content from files outside the configured locations for script template views.Β This issue affects Spring Framework: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-03-20
Last Modified
2026-04-23
Generated
2026-07-07
AI Q&A
2026-03-20
EPSS Evaluated
2026-07-06
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
vmware spring_framework to 5.3.47 (exc)
vmware spring_framework From 6.1.0 (inc) to 6.1.26 (exc)
vmware spring_framework From 6.2.0 (inc) to 6.2.17 (exc)
vmware spring_framework From 7.0.0 (inc) to 7.0.6 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-22737 is a medium-severity vulnerability in the Spring Framework that affects versions 5.3.0 to 5.3.46, 6.1.0 to 6.1.25, 6.2.0 to 6.2.16, and 7.0.0 to 7.0.5. It occurs when Java scripting engines like JRuby or Jython are enabled for template views in Spring MVC and Spring WebFlux applications.'}, {'type': 'paragraph', 'content': "The issue arises if the application has a mapping for the path pattern '/**' that leads to view rendering without explicitly specifying the view name. This causes improper path limitation, allowing disclosure of content from files outside the configured script template view locations."}, {'type': 'paragraph', 'content': 'In other words, sensitive files outside the intended directories can be accessed and exposed due to this flaw.'}] [1]

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive information stored in files outside the intended script template view locations.

An attacker could exploit this flaw remotely over the network without requiring any privileges or user interaction.

The impact is primarily on confidentiality, as sensitive data could be exposed, but it does not affect integrity or availability.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate CVE-2026-22737, you should upgrade your Spring Framework to the fixed versions.

  • Upgrade to version 7.0.6 if you are using the 7.0.x branch.
  • Upgrade to version 6.2.17 if you are using the 6.2.x branch.
  • Upgrade to version 6.1.26 if you are using the 6.1.x branch (commercial).
  • Upgrade to version 5.3.47 if you are using the 5.3.x branch (commercial).

No additional mitigation steps are necessary beyond upgrading.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22737. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart