Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:maven/org.springframework/spring-webflux@5.2.2.RELEASE
purl pkg:maven/org.springframework/spring-webflux@5.2.2.RELEASE
Next non-vulnerable version 5.2.20.RELEASE
Latest non-vulnerable version 7.0.7
Risk 10.0
Vulnerabilities affecting this package (5)
Vulnerability Summary Fixed by
VCID-6pkk-3mj7-jyag
Aliases:
CVE-2020-5397
GHSA-7pm4-g2qj-j85x
Cross-Site Request Forgery (CSRF) Spring Framework is vulnerable to CSRF attacks through CORS preflight requests that target Spring MVC (spring-webmvc module) or Spring WebFlux (spring-webflux module) endpoints.
5.2.3
Affected by 0 other vulnerabilities.
5.2.3.RELEASE
Affected by 3 other vulnerabilities.
VCID-d66x-bm58-pfgt
Aliases:
CVE-2021-22118
GHSA-gfwj-fwqj-fp3v
Improper Privilege Management Spring Framework WebFlux applications are vulnerable to a privilege escalation. By (re)creating the temporary storage directory, a locally authenticated malicious user can read or modify files that have been uploaded to the WebFlux application, or overwrite arbitrary files with multipart request data.
5.2.15.RELEASE
Affected by 1 other vulnerability.
5.3.7
Affected by 1 other vulnerability.
VCID-fra1-reqm-kfdb
Aliases:
CVE-2020-5421
GHSA-rv39-3qh7-9v7w
Remote file disclosure In Spring Framework the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
5.2.8.RELEASE
Affected by 2 other vulnerabilities.
5.2.9.RELEASE
Affected by 2 other vulnerabilities.
VCID-tsjn-scdc-fqh3
Aliases:
CVE-2020-5398
GHSA-8wx2-9q48-vm9r
Download of Code Without Integrity Check In Spring Framework, an application is vulnerable to a reflected file download (RFD) attack when it sets a `Content-Disposition` header in the response where the filename attribute is derived from user supplied input.
5.2.3.RELEASE
Affected by 3 other vulnerabilities.
VCID-vr7m-chzs-abfu
Aliases:
CVE-2022-22965
GHSA-36p3-wjmg-h94x
GMS-2022-558
GMS-2022-559
GMS-2022-560
GMS-2022-561
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in org.springframework.boot:spring-boot-starter-webflux.
5.2.20.RELEASE
Affected by 0 other vulnerabilities.
5.3.18
Affected by 0 other vulnerabilities.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2026-06-06T01:39:05.123796+00:00 GitLab Importer Affected by VCID-vr7m-chzs-abfu https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework/spring-webflux/CVE-2022-22965.yml 38.6.0
2026-06-06T00:43:08.077652+00:00 GitLab Importer Affected by VCID-d66x-bm58-pfgt https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework/spring-webflux/CVE-2021-22118.yml 38.6.0
2026-06-04T20:39:08.867063+00:00 GitLab Importer Affected by VCID-fra1-reqm-kfdb https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework/spring-webflux/CVE-2020-5421.yml 38.6.0
2026-06-04T20:26:28.963741+00:00 GitLab Importer Affected by VCID-tsjn-scdc-fqh3 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework/spring-webflux/CVE-2020-5398.yml 38.6.0
2026-06-04T20:26:28.667670+00:00 GitLab Importer Affected by VCID-6pkk-3mj7-jyag https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework/spring-webflux/CVE-2020-5397.yml 38.6.0