CVE-2026-22737
unknown
CVSS v3
—
CVSS v2
—
VIR risk
—
Description
Use of Java scripting engine enabled (e.g. JRuby, Jython) template views in Spring MVC and Spring WebFlux applications can result in disclosure of content from files outside the configured locations for script template views. This issue affects Spring Framework: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46.
Predictions
Exploit likelihood
30%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2026-22737
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | bookworm | affected | |
| debian | bullseye | affected | |
| debian | forky | affected | |
| debian | sid | affected | |
| debian | trixie | affected | |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Maven | org.springframework:spring-webmvc | >=7.0.0-M1,<7.0.6 | 7.0.6 |
| Maven | org.springframework:spring-webmvc | >=6.2.0,<6.2.17 | 6.2.17 |
| Maven | org.springframework:spring-webmvc | >=6.0.0,<=6.1.21 | |
| Maven | org.springframework:spring-webmvc | >=5.3.0,<=5.3.39 | |
| Maven | org.springframework:spring-webflux | >=7.0.0-M1,<7.0.6 | 7.0.6 |
| Maven | org.springframework:spring-webflux | >=6.2.0,<6.2.17 | 6.2.17 |
| Maven | org.springframework:spring-webflux | >=6.0.0,<=6.1.21 | |
| Maven | org.springframework:spring-webflux | >=5.3.0,<=5.3.39 | |
References
Verify integrity in audit chain (admin only). AS-IS.