Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:maven/org.springframework/spring-webmvc@4.0.0
purl pkg:maven/org.springframework/spring-webmvc@4.0.0
Tags Ghost
Next non-vulnerable version 5.2.20.RELEASE
Latest non-vulnerable version 7.0.6
Risk 4.0
Vulnerabilities affecting this package (4)
Vulnerability Summary Fixed by
VCID-9v66-xp9z-8kea
Aliases:
CVE-2014-3625
GHSA-hhm4-hwq6-3c6w
Directory traversal vulnerability in Pivotal Spring Framework 3.0.4 through 3.2.x before 3.2.12, 4.0.x before 4.0.8, and 4.1.x before 4.1.2 allows remote attackers to read arbitrary files via unspecified vectors, related to static resource handling.
4.0.8
Affected by 0 other vulnerabilities.
4.0.8.RELEASE
Affected by 4 other vulnerabilities.
4.1.2
Affected by 0 other vulnerabilities.
4.1.2.RELEASE
Affected by 4 other vulnerabilities.
VCID-ajex-5x84-8ygb
Aliases:
CVE-2014-1904
GHSA-ff7p-jqjm-v66h
Cross-site scripting (XSS) vulnerability in web/servlet/tags/form/FormTag.java in Spring MVC in Spring Framework 3.0.0 before 3.2.8 and 4.0.0 before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the requested URI in a default action.
4.0.2.RELEASE
Affected by 7 other vulnerabilities.
VCID-r384-aque-vqcw
Aliases:
CVE-2014-0225
GHSA-f93f-g33r-8pcp
When processing user provided XML documents, the Spring Framework 4.0.0 to 4.0.4, 3.0.0 to 3.2.8, and possibly earlier unsupported versions did not disable by default the resolution of URI references in a DTD declaration. This enabled an XXE attack.
4.0.5
Affected by 0 other vulnerabilities.
4.0.5.RELEASE
Affected by 5 other vulnerabilities.
VCID-vkf8-5z5m-wqc7
Aliases:
CVE-2014-0054
GHSA-8cmm-qj8g-fcp6
The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.
4.0.2
Affected by 0 other vulnerabilities.
4.0.2.RELEASE
Affected by 7 other vulnerabilities.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2026-04-04T14:30:27.903353+00:00 GHSA Importer Affected by VCID-ajex-5x84-8ygb https://github.com/advisories/GHSA-ff7p-jqjm-v66h 38.1.0
2026-04-01T16:00:51.514166+00:00 GHSA Importer Affected by VCID-9v66-xp9z-8kea https://github.com/advisories/GHSA-hhm4-hwq6-3c6w 38.0.0
2026-04-01T16:00:51.415956+00:00 GHSA Importer Affected by VCID-r384-aque-vqcw https://github.com/advisories/GHSA-f93f-g33r-8pcp 38.0.0
2026-04-01T16:00:51.316439+00:00 GHSA Importer Affected by VCID-vkf8-5z5m-wqc7 https://github.com/advisories/GHSA-8cmm-qj8g-fcp6 38.0.0
2026-04-01T12:50:18.340528+00:00 GitLab Importer Affected by VCID-r384-aque-vqcw https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework/spring-webmvc/CVE-2014-0225.yml 38.0.0