VulnerableCode Package Details - pkg:maven/org.springframework/spring-webmvc@6.1.21

Search for packages

Vulnerability	Summary	Fixed by
VCID-85dj-ems3-vyh4 Aliases: CVE-2026-22735 GHSA-6hcq-hmm3-jj3c	Spring MVC and WebFlux has Server Sent Event stream corruption Spring MVC and WebFlux applications are vulnerable to stream corruption when using Server-Sent Events (SSE). This issue affects Spring Foundation: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46.	6.2.17 Affected by 0 other vulnerabilities. 7.0.6 Affected by 0 other vulnerabilities.
VCID-n1vf-acj7-gkaf Aliases: CVE-2025-41242 GHSA-r936-gwx5-v52f	Spring Framework MVC Applications Path Traversal Vulnerability Spring Framework MVC applications can be vulnerable to a “Path Traversal Vulnerability” when deployed on a non-compliant Servlet container. An application can be vulnerable when all the following are true: * the application is deployed as a WAR or with an embedded Servlet container * the Servlet container does not reject suspicious sequences https://jakarta.ee/specifications/servlet/6.1/jakarta-servlet-spec-6.1.html#uri-path-canonicalization * the application serves static resources https://docs.spring.io/spring-framework/reference/web/webmvc/mvc-config/static-resources.html#page-title with Spring resource handling We have verified that applications deployed on Apache Tomcat or Eclipse Jetty are not vulnerable, as long as default security features are not disabled in the configuration. Because we cannot check exploits against all Servlet containers and configuration variants, we strongly recommend upgrading your application.	6.2.10 Affected by 0 other vulnerabilities.
VCID-sh22-dem5-aqf3 Aliases: CVE-2026-22737 GHSA-4773-3jfm-qmx3	Spring Framework Improper Path Limitation with Script View Templates Use of Java scripting engine enabled (e.g. JRuby, Jython) template views in Spring MVC and Spring WebFlux applications can result in disclosure of content from files outside the configured locations for script template views. This issue affects Spring Framework: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46.	6.2.17 Affected by 0 other vulnerabilities. 7.0.6 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-85dj-ems3-vyh4
Aliases:
CVE-2026-22735
GHSA-6hcq-hmm3-jj3c

Spring MVC and WebFlux has Server Sent Event stream corruption Spring MVC and WebFlux applications are vulnerable to stream corruption when using Server-Sent Events (SSE). This issue affects Spring Foundation: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46.

6.2.17
Affected by 0 other vulnerabilities.

7.0.6
Affected by 0 other vulnerabilities.

VCID-n1vf-acj7-gkaf
Aliases:
CVE-2025-41242
GHSA-r936-gwx5-v52f

Spring Framework MVC Applications Path Traversal Vulnerability Spring Framework MVC applications can be vulnerable to a “Path Traversal Vulnerability” when deployed on a non-compliant Servlet container. An application can be vulnerable when all the following are true: * the application is deployed as a WAR or with an embedded Servlet container * the Servlet container does not reject suspicious sequences https://jakarta.ee/specifications/servlet/6.1/jakarta-servlet-spec-6.1.html#uri-path-canonicalization * the application serves static resources https://docs.spring.io/spring-framework/reference/web/webmvc/mvc-config/static-resources.html#page-title with Spring resource handling We have verified that applications deployed on Apache Tomcat or Eclipse Jetty are not vulnerable, as long as default security features are not disabled in the configuration. Because we cannot check exploits against all Servlet containers and configuration variants, we strongly recommend upgrading your application.

6.2.10
Affected by 0 other vulnerabilities.

VCID-sh22-dem5-aqf3
Aliases:
CVE-2026-22737
GHSA-4773-3jfm-qmx3

Spring Framework Improper Path Limitation with Script View Templates Use of Java scripting engine enabled (e.g. JRuby, Jython) template views in Spring MVC and Spring WebFlux applications can result in disclosure of content from files outside the configured locations for script template views. This issue affects Spring Framework: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46.

6.2.17
Affected by 0 other vulnerabilities.

7.0.6
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-07T04:58:27.140486+00:00	GHSA Importer	Affected by	VCID-n1vf-acj7-gkaf	https://github.com/advisories/GHSA-r936-gwx5-v52f	38.1.0
2026-04-02T17:01:17.607370+00:00	GHSA Importer	Affected by	VCID-sh22-dem5-aqf3	https://github.com/advisories/GHSA-4773-3jfm-qmx3	38.1.0
2026-04-02T17:01:17.155752+00:00	GHSA Importer	Affected by	VCID-85dj-ems3-vyh4	https://github.com/advisories/GHSA-6hcq-hmm3-jj3c	38.1.0