CVE-2026-22737
Received Received - Intake
Information Disclosure via Java Scripting in Spring Framework Templates

Publication date: 2026-03-20

Last updated on: 2026-04-23

Assigner: VMware

Description
Use of Java scripting engine enabled (e.g. JRuby, Jython) template views in Spring MVC and Spring WebFlux applications can result in disclosure of content from files outside the configured locations for script template views.Β This issue affects Spring Framework: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-04-23
Generated
2026-06-16
AI Q&A
2026-03-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-22737
EUVD
EUVD-2026-13406
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
vmware spring_framework to 5.3.47 (exc)
vmware spring_framework From 6.1.0 (inc) to 6.1.26 (exc)
vmware spring_framework From 6.2.0 (inc) to 6.2.17 (exc)
vmware spring_framework From 7.0.0 (inc) to 7.0.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-22737 is a medium-severity vulnerability in the Spring Framework that affects versions 5.3.0 to 5.3.46, 6.1.0 to 6.1.25, 6.2.0 to 6.2.16, and 7.0.0 to 7.0.5. It occurs when Java scripting engines like JRuby or Jython are enabled for template views in Spring MVC and Spring WebFlux applications.'}, {'type': 'paragraph', 'content': "The issue arises if the application has a mapping for the path pattern '/**' that leads to view rendering without explicitly specifying the view name. This causes improper path limitation, allowing disclosure of content from files outside the configured script template view locations."}, {'type': 'paragraph', 'content': 'In other words, sensitive files outside the intended directories can be accessed and exposed due to this flaw.'}] [1]

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive information stored in files outside the intended script template view locations.

An attacker could exploit this flaw remotely over the network without requiring any privileges or user interaction.

The impact is primarily on confidentiality, as sensitive data could be exposed, but it does not affect integrity or availability.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate CVE-2026-22737, you should upgrade your Spring Framework to the fixed versions.

  • Upgrade to version 7.0.6 if you are using the 7.0.x branch.
  • Upgrade to version 6.2.17 if you are using the 6.2.x branch.
  • Upgrade to version 6.1.26 if you are using the 6.1.x branch (commercial).
  • Upgrade to version 5.3.47 if you are using the 5.3.x branch (commercial).

No additional mitigation steps are necessary beyond upgrading.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22737. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart