VulnerableCode Package Details - pkg:maven/org.springframework.security/spring-security-web@5.4.4

Search for packages

Vulnerability	Summary	Fixed by
VCID-vfqt-vr9q-2kfp Aliases: CVE-2026-22732 GHSA-mf92-479x-3373	Spring Security HTTP Headers Are not Written Under Some Conditions When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written. This issue affects Spring Security: from 5.7.0 through 5.7.21, from 5.8.0 through 5.8.23, from 6.3.0 through 6.3.14, from 6.4.0 through 6.4.14, from 6.5.0 through 6.5.8, from 7.0.0 through 7.0.3.	6.5.9 Affected by 0 other vulnerabilities. 7.0.4 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-vfqt-vr9q-2kfp
Aliases:
CVE-2026-22732
GHSA-mf92-479x-3373

Spring Security HTTP Headers Are not Written Under Some Conditions When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written. This issue affects Spring Security: from 5.7.0 through 5.7.21, from 5.8.0 through 5.8.23, from 6.3.0 through 6.3.14, from 6.4.0 through 6.4.14, from 6.5.0 through 6.5.8, from 7.0.0 through 7.0.3.

6.5.9
Affected by 0 other vulnerabilities.

7.0.4
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-yeaf-ta2h-p7c1	Privilege escalation in spring security Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, and older unsupported versions can fail to save the SecurityContext if it is changed more than once in a single request.A malicious user cannot cause the bug to happen (it must be programmed in). However, if the application's intent is to only allow the user to run with elevated privileges in a small portion of the application, the bug can be leveraged to extend those privileges to the rest of the application.	CVE-2021-22112 GHSA-gq28-h5vg-8prx

Vulnerability

Summary

Aliases

VCID-yeaf-ta2h-p7c1

Privilege escalation in spring security Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, and older unsupported versions can fail to save the SecurityContext if it is changed more than once in a single request.A malicious user cannot cause the bug to happen (it must be programmed in). However, if the application's intent is to only allow the user to run with elevated privileges in a small portion of the application, the bug can be leveraged to extend those privileges to the rest of the application.

CVE-2021-22112
GHSA-gq28-h5vg-8prx

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-22T07:35:39.649977+00:00	GitLab Importer	Affected by	VCID-vfqt-vr9q-2kfp	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework.security/spring-security-web/CVE-2026-22732.yml	38.4.0
2026-04-16T21:22:33.568425+00:00	GitLab Importer	Fixing	VCID-yeaf-ta2h-p7c1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework.security/spring-security-web/CVE-2021-22112.yml	38.4.0
2026-04-11T22:35:09.069516+00:00	GitLab Importer	Fixing	VCID-yeaf-ta2h-p7c1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework.security/spring-security-web/CVE-2021-22112.yml	38.3.0
2026-04-02T22:46:15.141392+00:00	GitLab Importer	Fixing	VCID-yeaf-ta2h-p7c1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework.security/spring-security-web/CVE-2021-22112.yml	38.1.0
2026-04-02T16:56:38.662908+00:00	GHSA Importer	Fixing	VCID-yeaf-ta2h-p7c1	https://github.com/advisories/GHSA-gq28-h5vg-8prx	38.1.0
2026-04-01T17:04:06.253787+00:00	GitLab Importer	Fixing	VCID-yeaf-ta2h-p7c1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework.security/spring-security-web/CVE-2021-22112.yml	38.0.0
2026-04-01T13:02:59.012423+00:00	GithubOSV Importer	Fixing	VCID-yeaf-ta2h-p7c1	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-gq28-h5vg-8prx/GHSA-gq28-h5vg-8prx.json	38.0.0