{"url":"http://public2.vulnerablecode.io/api/packages/149620?format=json","purl":"pkg:maven/org.springframework/spring-webmvc@3.2.6.RELEASE","type":"maven","namespace":"org.springframework","name":"spring-webmvc","version":"3.2.6.RELEASE","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"5.2.20.RELEASE","latest_non_vulnerable_version":"7.0.6","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/4872?format=json","vulnerability_id":"VCID-53gt-nbgk-hyc2","summary":"Directory traversal vulnerability in Pivotal Spring Framework 3.x before 3.2.9 and 4.0 before 4.0.5 allows remote attackers to read arbitrary files via a crafted URL.","references":[{"reference_url":"http://jvndb.jvn.jp/en/contents/2014/JVNDB-2014-000054.html","reference_id":"","reference_type":"","scores":[],"url":"http://jvndb.jvn.jp/en/contents/2014/JVNDB-2014-000054.html"},{"reference_url":"http://jvndb.jvn.jp/jvndb/JVNDB-2014-000054","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://jvndb.jvn.jp/jvndb/JVNDB-2014-000054"},{"reference_url":"http://jvn.jp/en/jp/JVN49154900/index.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://jvn.jp/en/jp/JVN49154900/index.html"},{"reference_url":"http://rhn.redhat.com/errata/RHSA-2015-0720.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://rhn.redhat.com/errata/RHSA-2015-0720.html"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-3578.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-3578.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2014-3578","reference_id":"","reference_type":"","scores":[{"value":"0.04358","scoring_system":"epss","scoring_elements":"0.88992","published_at":"2026-05-05T12:55:00Z"},{"value":"0.04358","scoring_system":"epss","scoring_elements":"0.88944","published_at":"2026-04-08T12:55:00Z"},{"value":"0.04358","scoring_system":"epss","scoring_elements":"0.88949","published_at":"2026-04-09T12:55:00Z"},{"value":"0.04358","scoring_system":"epss","scoring_elements":"0.8896","published_at":"2026-04-11T12:55:00Z"},{"value":"0.04358","scoring_system":"epss","scoring_elements":"0.88954","published_at":"2026-04-12T12:55:00Z"},{"value":"0.04358","scoring_system":"epss","scoring_elements":"0.88953","published_at":"2026-04-13T12:55:00Z"},{"value":"0.04358","scoring_system":"epss","scoring_elements":"0.88966","published_at":"2026-04-16T12:55:00Z"},{"value":"0.04358","scoring_system":"epss","scoring_elements":"0.88964","published_at":"2026-04-18T12:55:00Z"},{"value":"0.04358","scoring_system":"epss","scoring_elements":"0.88961","published_at":"2026-04-21T12:55:00Z"},{"value":"0.04358","scoring_system":"epss","scoring_elements":"0.88978","published_at":"2026-04-24T12:55:00Z"},{"value":"0.04358","scoring_system":"epss","scoring_elements":"0.88985","published_at":"2026-04-26T12:55:00Z"},{"value":"0.04358","scoring_system":"epss","scoring_elements":"0.88986","published_at":"2026-04-29T12:55:00Z"},{"value":"0.04358","scoring_system":"epss","scoring_elements":"0.88899","published_at":"2026-04-01T12:55:00Z"},{"value":"0.04358","scoring_system":"epss","scoring_elements":"0.88907","published_at":"2026-04-02T12:55:00Z"},{"value":"0.04358","scoring_system":"epss","scoring_elements":"0.88923","published_at":"2026-04-04T12:55:00Z"},{"value":"0.04358","scoring_system":"epss","scoring_elements":"0.88925","published_at":"2026-04-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2014-3578"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1131882","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1131882"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3578","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3578"},{"reference_url":"https://github.com/spring-projects/spring-framework","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-framework"},{"reference_url":"https://github.com/spring-projects/spring-framework/commit/748167bfa33c3c69db2d8dbdc3a0e9da692da3a0","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-framework/commit/748167bfa33c3c69db2d8dbdc3a0e9da692da3a0"},{"reference_url":"https://github.com/spring-projects/spring-framework/commit/8e096aeef55287dc829484996c9330cf755891a1","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/spring-projects/spring-framework/commit/8e096aeef55287dc829484996c9330cf755891a1"},{"reference_url":"https://github.com/spring-projects/spring-framework/commit/8ee465103850a3dca018273fe5952e40d5c45a66","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-framework/commit/8ee465103850a3dca018273fe5952e40d5c45a66"},{"reference_url":"https://github.com/spring-projects/spring-framework/commit/c6503ebbf7c9e21ff022c58706dbac5417b2b5eb","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/spring-projects/spring-framework/commit/c6503ebbf7c9e21ff022c58706dbac5417b2b5eb"},{"reference_url":"https://github.com/spring-projects/spring-framework/commit/f6fddeb6eb7da625fd711ab371ff16512f431e8d","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-framework/commit/f6fddeb6eb7da625fd711ab371ff16512f431e8d"},{"reference_url":"https://github.com/spring-projects/spring-framework/issues/16414","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-framework/issues/16414"},{"reference_url":"https://jira.spring.io/browse/SPR-12354","reference_id":"","reference_type":"","scores":[],"url":"https://jira.spring.io/browse/SPR-12354"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2019/07/msg00012.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2019/07/msg00012.html"},{"reference_url":"https://rhn.redhat.com/errata/RHSA-2015-0234.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://rhn.redhat.com/errata/RHSA-2015-0234.html"},{"reference_url":"https://rhn.redhat.com/errata/RHSA-2015-0235.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://rhn.redhat.com/errata/RHSA-2015-0235.html"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=760733","reference_id":"760733","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=760733"},{"reference_url":"http://pivotal.io/security/cve-2014-3578","reference_id":"CVE-2014-3578","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://pivotal.io/security/cve-2014-3578"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2014-3578","reference_id":"CVE-2014-3578","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2014-3578"},{"reference_url":"http://www.pivotal.io/security/cve-2014-3578","reference_id":"CVE-2014-3578","reference_type":"","scores":[],"url":"http://www.pivotal.io/security/cve-2014-3578"},{"reference_url":"https://github.com/advisories/GHSA-rhcg-rwhx-qj3j","reference_id":"GHSA-rhcg-rwhx-qj3j","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rhcg-rwhx-qj3j"},{"reference_url":"https://access.redhat.com/errata/RHSA-2015:0234","reference_id":"RHSA-2015:0234","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2015:0234"},{"reference_url":"https://access.redhat.com/errata/RHSA-2015:0235","reference_id":"RHSA-2015:0235","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2015:0235"},{"reference_url":"https://access.redhat.com/errata/RHSA-2015:0675","reference_id":"RHSA-2015:0675","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2015:0675"},{"reference_url":"https://access.redhat.com/errata/RHSA-2015:0720","reference_id":"RHSA-2015:0720","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2015:0720"},{"reference_url":"https://usn.ubuntu.com/USN-4774-1/","reference_id":"USN-USN-4774-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/USN-4774-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/21013?format=json","purl":"pkg:maven/org.springframework/spring-webmvc@3.2.9.RELEASE","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9v66-xp9z-8kea"},{"vulnerability":"VCID-cyjt-4vjn-mbc7"},{"vulnerability":"VCID-fv26-nhx4-dqd3"},{"vulnerability":"VCID-j3wr-npbv-8qcw"},{"vulnerability":"VCID-pb7f-yasx-17ag"},{"vulnerability":"VCID-y3uz-etva-sufh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-webmvc@3.2.9.RELEASE"},{"url":"http://public2.vulnerablecode.io/api/packages/21014?format=json","purl":"pkg:maven/org.springframework/spring-webmvc@4.0.5.RELEASE","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9v66-xp9z-8kea"},{"vulnerability":"VCID-cyjt-4vjn-mbc7"},{"vulnerability":"VCID-fv26-nhx4-dqd3"},{"vulnerability":"VCID-pb7f-yasx-17ag"},{"vulnerability":"VCID-y3uz-etva-sufh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-webmvc@4.0.5.RELEASE"}],"aliases":["CVE-2014-3578","GHSA-rhcg-rwhx-qj3j"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-53gt-nbgk-hyc2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/4852?format=json","vulnerability_id":"VCID-9v66-xp9z-8kea","summary":"Directory traversal vulnerability in Pivotal Spring Framework 3.0.4 through 3.2.x before 3.2.12, 4.0.x before 4.0.8, and 4.1.x before 4.1.2 allows remote attackers to read arbitrary files via unspecified vectors, related to static resource handling.","references":[{"reference_url":"http://rhn.redhat.com/errata/RHSA-2015-0236.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://rhn.redhat.com/errata/RHSA-2015-0236.html"},{"reference_url":"http://rhn.redhat.com/errata/RHSA-2015-0720.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://rhn.redhat.com/errata/RHSA-2015-0720.html"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-3625.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-3625.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2014-3625","reference_id":"","reference_type":"","scores":[{"value":"0.16987","scoring_system":"epss","scoring_elements":"0.94959","published_at":"2026-04-07T12:55:00Z"},{"value":"0.16987","scoring_system":"epss","scoring_elements":"0.95003","published_at":"2026-05-05T12:55:00Z"},{"value":"0.16987","scoring_system":"epss","scoring_elements":"0.94954","published_at":"2026-04-02T12:55:00Z"},{"value":"0.16987","scoring_system":"epss","scoring_elements":"0.94956","published_at":"2026-04-04T12:55:00Z"},{"value":"0.16987","scoring_system":"epss","scoring_elements":"0.94967","published_at":"2026-04-08T12:55:00Z"},{"value":"0.16987","scoring_system":"epss","scoring_elements":"0.94992","published_at":"2026-04-18T12:55:00Z"},{"value":"0.16987","scoring_system":"epss","scoring_elements":"0.94988","published_at":"2026-04-16T12:55:00Z"},{"value":"0.16987","scoring_system":"epss","scoring_elements":"0.9498","published_at":"2026-04-13T12:55:00Z"},{"value":"0.16987","scoring_system":"epss","scoring_elements":"0.94977","published_at":"2026-04-12T12:55:00Z"},{"value":"0.16987","scoring_system":"epss","scoring_elements":"0.94976","published_at":"2026-04-11T12:55:00Z"},{"value":"0.16987","scoring_system":"epss","scoring_elements":"0.94945","published_at":"2026-04-01T12:55:00Z"},{"value":"0.16987","scoring_system":"epss","scoring_elements":"0.94971","published_at":"2026-04-09T12:55:00Z"},{"value":"0.1736","scoring_system":"epss","scoring_elements":"0.95072","published_at":"2026-04-29T12:55:00Z"},{"value":"0.1736","scoring_system":"epss","scoring_elements":"0.95071","published_at":"2026-04-26T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2014-3625"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3625","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3625"},{"reference_url":"https://github.com/spring-projects/spring-framework","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-framework"},{"reference_url":"https://github.com/spring-projects/spring-framework/commit/161d3e3049f129e211f68a4e94b544e0f0d8384d","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-framework/commit/161d3e3049f129e211f68a4e94b544e0f0d8384d"},{"reference_url":"https://github.com/spring-projects/spring-framework/commit/3f68cd633f03370d33c2603a6496e81273782601","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-framework/commit/3f68cd633f03370d33c2603a6496e81273782601"},{"reference_url":"https://github.com/spring-projects/spring-framework/commit/9beae9ae4226c45cd428035dae81214439324676","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-framework/commit/9beae9ae4226c45cd428035dae81214439324676"},{"reference_url":"https://github.com/spring-projects/spring-framework/commit/9cef8e3001ddd61c734281a7556efd84b6cc2755","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-framework/commit/9cef8e3001ddd61c734281a7556efd84b6cc2755"},{"reference_url":"https://jira.spring.io/browse/SPR-12354","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://jira.spring.io/browse/SPR-12354"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2019/07/msg00012.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2019/07/msg00012.html"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2014-3625","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:L/Au:N/C:P/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2014-3625"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1165936","reference_id":"1165936","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1165936"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769698","reference_id":"769698","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769698"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:pivotal_software:spring_framework:*:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:pivotal_software:spring_framework:*:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:pivotal_software:spring_framework:*:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*"},{"reference_url":"https://bugzilla.redhat.com/CVE-2014-3625","reference_id":"CVE-2014-3625","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/CVE-2014-3625"},{"reference_url":"http://www.pivotal.io/security/cve-2014-3625","reference_id":"CVE-2014-3625","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.pivotal.io/security/cve-2014-3625"},{"reference_url":"https://github.com/advisories/GHSA-hhm4-hwq6-3c6w","reference_id":"GHSA-hhm4-hwq6-3c6w","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hhm4-hwq6-3c6w"},{"reference_url":"https://access.redhat.com/errata/RHSA-2015:0234","reference_id":"RHSA-2015:0234","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2015:0234"},{"reference_url":"https://access.redhat.com/errata/RHSA-2015:0235","reference_id":"RHSA-2015:0235","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2015:0235"},{"reference_url":"https://access.redhat.com/errata/RHSA-2015:0236","reference_id":"RHSA-2015:0236","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2015:0236"},{"reference_url":"https://access.redhat.com/errata/RHSA-2015:0720","reference_id":"RHSA-2015:0720","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2015:0720"},{"reference_url":"https://usn.ubuntu.com/USN-4774-1/","reference_id":"USN-USN-4774-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/USN-4774-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/84535?format=json","purl":"pkg:maven/org.springframework/spring-webmvc@3.2.12","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-webmvc@3.2.12"},{"url":"http://public2.vulnerablecode.io/api/packages/20903?format=json","purl":"pkg:maven/org.springframework/spring-webmvc@3.2.12.RELEASE","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-cyjt-4vjn-mbc7"},{"vulnerability":"VCID-fv26-nhx4-dqd3"},{"vulnerability":"VCID-j3wr-npbv-8qcw"},{"vulnerability":"VCID-pb7f-yasx-17ag"},{"vulnerability":"VCID-y3uz-etva-sufh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-webmvc@3.2.12.RELEASE"},{"url":"http://public2.vulnerablecode.io/api/packages/84537?format=json","purl":"pkg:maven/org.springframework/spring-webmvc@4.0.8","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-webmvc@4.0.8"},{"url":"http://public2.vulnerablecode.io/api/packages/20904?format=json","purl":"pkg:maven/org.springframework/spring-webmvc@4.0.8.RELEASE","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-cyjt-4vjn-mbc7"},{"vulnerability":"VCID-fv26-nhx4-dqd3"},{"vulnerability":"VCID-pb7f-yasx-17ag"},{"vulnerability":"VCID-y3uz-etva-sufh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-webmvc@4.0.8.RELEASE"},{"url":"http://public2.vulnerablecode.io/api/packages/84538?format=json","purl":"pkg:maven/org.springframework/spring-webmvc@4.1.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-webmvc@4.1.2"},{"url":"http://public2.vulnerablecode.io/api/packages/20905?format=json","purl":"pkg:maven/org.springframework/spring-webmvc@4.1.2.RELEASE","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-cyjt-4vjn-mbc7"},{"vulnerability":"VCID-fv26-nhx4-dqd3"},{"vulnerability":"VCID-pb7f-yasx-17ag"},{"vulnerability":"VCID-y3uz-etva-sufh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-webmvc@4.1.2.RELEASE"}],"aliases":["CVE-2014-3625","GHSA-hhm4-hwq6-3c6w"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9v66-xp9z-8kea"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/4720?format=json","vulnerability_id":"VCID-ajex-5x84-8ygb","summary":"Cross-site scripting (XSS) vulnerability in web/servlet/tags/form/FormTag.java in Spring MVC in Spring Framework 3.0.0 before 3.2.8 and 4.0.0 before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the requested URI in a default action.","references":[{"reference_url":"http://docs.spring.io/spring/docs/3.2.8.RELEASE/changelog.txt","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://docs.spring.io/spring/docs/3.2.8.RELEASE/changelog.txt"},{"reference_url":"http://rhn.redhat.com/errata/RHSA-2014-0400.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://rhn.redhat.com/errata/RHSA-2014-0400.html"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-1904.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-1904.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2014-1904","reference_id":"","reference_type":"","scores":[{"value":"0.0181","scoring_system":"epss","scoring_elements":"0.82926","published_at":"2026-05-05T12:55:00Z"},{"value":"0.0181","scoring_system":"epss","scoring_elements":"0.82833","published_at":"2026-04-12T12:55:00Z"},{"value":"0.0181","scoring_system":"epss","scoring_elements":"0.82829","published_at":"2026-04-13T12:55:00Z"},{"value":"0.0181","scoring_system":"epss","scoring_elements":"0.82868","published_at":"2026-04-16T12:55:00Z"},{"value":"0.0181","scoring_system":"epss","scoring_elements":"0.82867","published_at":"2026-04-18T12:55:00Z"},{"value":"0.0181","scoring_system":"epss","scoring_elements":"0.8287","published_at":"2026-04-21T12:55:00Z"},{"value":"0.0181","scoring_system":"epss","scoring_elements":"0.82891","published_at":"2026-04-24T12:55:00Z"},{"value":"0.0181","scoring_system":"epss","scoring_elements":"0.829","published_at":"2026-04-26T12:55:00Z"},{"value":"0.0181","scoring_system":"epss","scoring_elements":"0.82905","published_at":"2026-04-29T12:55:00Z"},{"value":"0.0181","scoring_system":"epss","scoring_elements":"0.82763","published_at":"2026-04-01T12:55:00Z"},{"value":"0.0181","scoring_system":"epss","scoring_elements":"0.82779","published_at":"2026-04-02T12:55:00Z"},{"value":"0.0181","scoring_system":"epss","scoring_elements":"0.82793","published_at":"2026-04-04T12:55:00Z"},{"value":"0.0181","scoring_system":"epss","scoring_elements":"0.8279","published_at":"2026-04-07T12:55:00Z"},{"value":"0.0181","scoring_system":"epss","scoring_elements":"0.82815","published_at":"2026-04-08T12:55:00Z"},{"value":"0.0181","scoring_system":"epss","scoring_elements":"0.82821","published_at":"2026-04-09T12:55:00Z"},{"value":"0.0181","scoring_system":"epss","scoring_elements":"0.82837","published_at":"2026-04-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2014-1904"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0054","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0054"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1904","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1904"},{"reference_url":"http://seclists.org/fulldisclosure/2014/Mar/101","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://seclists.org/fulldisclosure/2014/Mar/101"},{"reference_url":"http://secunia.com/advisories/57915","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://secunia.com/advisories/57915"},{"reference_url":"https://github.com/spring-projects/spring-framework","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-framework"},{"reference_url":"https://github.com/spring-projects/spring-framework/commit/741b4b229ae032bd17175b46f98673ce0bd2d485","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-framework/commit/741b4b229ae032bd17175b46f98673ce0bd2d485"},{"reference_url":"https://github.com/spring-projects/spring-framework/commit/75e08695a04980dbceae6789364717e9d8764d58","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/spring-projects/spring-framework/commit/75e08695a04980dbceae6789364717e9d8764d58"},{"reference_url":"https://github.com/spring-projects/spring-framework/commit/75e08695a04980dbceae6789364717e9d8764d58#diff-5c29d6685335045274d9908c5cd45e45","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-framework/commit/75e08695a04980dbceae6789364717e9d8764d58#diff-5c29d6685335045274d9908c5cd45e45"},{"reference_url":"https://jira.springsource.org/browse/SPR-11426","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://jira.springsource.org/browse/SPR-11426"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2014-1904","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2014-1904"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1075296","reference_id":"1075296","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1075296"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=741604","reference_id":"741604","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=741604"},{"reference_url":"https://bugzilla.redhat.com/CVE-2014-1904","reference_id":"CVE-2014-1904","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/CVE-2014-1904"},{"reference_url":"http://www.gopivotal.com/security/cve-2014-1904","reference_id":"CVE-2014-1904","reference_type":"","scores":[],"url":"http://www.gopivotal.com/security/cve-2014-1904"},{"reference_url":"https://github.com/advisories/GHSA-ff7p-jqjm-v66h","reference_id":"GHSA-ff7p-jqjm-v66h","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-ff7p-jqjm-v66h"},{"reference_url":"https://access.redhat.com/errata/RHSA-2014:0400","reference_id":"RHSA-2014:0400","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2014:0400"},{"reference_url":"https://access.redhat.com/errata/RHSA-2014:0401","reference_id":"RHSA-2014:0401","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2014:0401"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/20599?format=json","purl":"pkg:maven/org.springframework/spring-webmvc@3.2.8.RELEASE","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-53gt-nbgk-hyc2"},{"vulnerability":"VCID-9v66-xp9z-8kea"},{"vulnerability":"VCID-cyjt-4vjn-mbc7"},{"vulnerability":"VCID-fv26-nhx4-dqd3"},{"vulnerability":"VCID-j3wr-npbv-8qcw"},{"vulnerability":"VCID-pb7f-yasx-17ag"},{"vulnerability":"VCID-y3uz-etva-sufh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-webmvc@3.2.8.RELEASE"},{"url":"http://public2.vulnerablecode.io/api/packages/20600?format=json","purl":"pkg:maven/org.springframework/spring-webmvc@4.0.2.RELEASE","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-53gt-nbgk-hyc2"},{"vulnerability":"VCID-9v66-xp9z-8kea"},{"vulnerability":"VCID-cyjt-4vjn-mbc7"},{"vulnerability":"VCID-fv26-nhx4-dqd3"},{"vulnerability":"VCID-pb7f-yasx-17ag"},{"vulnerability":"VCID-r384-aque-vqcw"},{"vulnerability":"VCID-y3uz-etva-sufh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-webmvc@4.0.2.RELEASE"}],"aliases":["CVE-2014-1904","GHSA-ff7p-jqjm-v66h"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ajex-5x84-8ygb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/13583?format=json","vulnerability_id":"VCID-cyjt-4vjn-mbc7","summary":"Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in org.springframework.boot:spring-boot-starter-webflux.","references":[{"reference_url":"http://packetstormsecurity.com/files/166713/Spring4Shell-Code-Execution.html","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Act","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-01-29T17:52:10Z/"}],"url":"http://packetstormsecurity.com/files/166713/Spring4Shell-Code-Execution.html"},{"reference_url":"http://packetstormsecurity.com/files/167011/Spring4Shell-Spring-Framework-Class-Property-Remote-Code-Execution.html","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Act","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-01-29T17:52:10Z/"}],"url":"http://packetstormsecurity.com/files/167011/Spring4Shell-Spring-Framework-Class-Property-Remote-Code-Execution.html"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-22965.json","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-22965.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-22965","reference_id":"","reference_type":"","scores":[{"value":"0.94428","scoring_system":"epss","scoring_elements":"0.99984","published_at":"2026-05-05T12:55:00Z"},{"value":"0.94428","scoring_system":"epss","scoring_elements":"0.99983","published_at":"2026-04-26T12:55:00Z"},{"value":"0.94428","scoring_system":"epss","scoring_elements":"0.99982","published_at":"2026-04-21T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-22965"},{"reference_url":"https://cert-portal.siemens.com/productcert/pdf/ssa-254054.pdf","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Act","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-01-29T17:52:10Z/"}],"url":"https://cert-portal.siemens.com/productcert/pdf/ssa-254054.pdf"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965"},{"reference_url":"https://github.com/spring-projects/spring-boot/releases/tag/v2.5.12","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-boot/releases/tag/v2.5.12"},{"reference_url":"https://github.com/spring-projects/spring-boot/releases/tag/v2.6.6","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-boot/releases/tag/v2.6.6"},{"reference_url":"https://github.com/spring-projects/spring-framework","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-framework"},{"reference_url":"https://github.com/spring-projects/spring-framework/commit/002546b3e4b8d791ea6acccb81eb3168f51abb15","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-framework/commit/002546b3e4b8d791ea6acccb81eb3168f51abb15"},{"reference_url":"https://github.com/spring-projects/spring-framework/releases/tag/v5.2.20.RELEASE","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-framework/releases/tag/v5.2.20.RELEASE"},{"reference_url":"https://github.com/spring-projects/spring-framework/releases/tag/v5.3.18","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-framework/releases/tag/v5.3.18"},{"reference_url":"https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0005","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Act","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-01-29T17:52:10Z/"}],"url":"https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0005"},{"reference_url":"https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement"},{"reference_url":"https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement#suggested-workarounds","reference_id":"","reference_type":"","scores":[],"url":"https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement#suggested-workarounds"},{"reference_url":"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-rce-Zx9GUc67","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Act","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-01-29T17:52:10Z/"}],"url":"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-rce-Zx9GUc67"},{"reference_url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-22965","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-22965"},{"reference_url":"https://www.kb.cert.org/vuls/id/970766","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.kb.cert.org/vuls/id/970766"},{"reference_url":"https://www.oracle.com/security-alerts/cpuapr2022.html","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Act","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-01-29T17:52:10Z/"}],"url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpujul2022.html","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Act","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-01-29T17:52:10Z/"}],"url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2070348","reference_id":"2070348","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2070348"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-22965","reference_id":"CVE-2022-22965","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-22965"},{"reference_url":"https://tanzu.vmware.com/security/cve-2022-22965","reference_id":"CVE-2022-22965","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Act","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-01-29T17:52:10Z/"}],"url":"https://tanzu.vmware.com/security/cve-2022-22965"},{"reference_url":"https://github.com/advisories/GHSA-36p3-wjmg-h94x","reference_id":"GHSA-36p3-wjmg-h94x","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-36p3-wjmg-h94x"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:1306","reference_id":"RHSA-2022:1306","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:1306"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:1333","reference_id":"RHSA-2022:1333","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:1333"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:1360","reference_id":"RHSA-2022:1360","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:1360"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:1378","reference_id":"RHSA-2022:1378","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:1378"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:1379","reference_id":"RHSA-2022:1379","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:1379"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:1626","reference_id":"RHSA-2022:1626","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:1626"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:1627","reference_id":"RHSA-2022:1627","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:1627"},{"reference_url":"https://usn.ubuntu.com/7165-1/","reference_id":"USN-7165-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/7165-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/48456?format=json","purl":"pkg:maven/org.springframework/spring-webmvc@5.2.20.RELEASE","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-webmvc@5.2.20.RELEASE"},{"url":"http://public2.vulnerablecode.io/api/packages/48457?format=json","purl":"pkg:maven/org.springframework/spring-webmvc@5.3.18","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7x5d-wtf5-3kau"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-webmvc@5.3.18"}],"aliases":["CVE-2022-22965","GHSA-36p3-wjmg-h94x","GMS-2022-558","GMS-2022-559","GMS-2022-560","GMS-2022-561"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cyjt-4vjn-mbc7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/4715?format=json","vulnerability_id":"VCID-fv26-nhx4-dqd3","summary":"Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.","references":[{"reference_url":"https://access.redhat.com/errata/RHSA-2018:1320","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/errata/RHSA-2018:1320"},{"reference_url":"https://access.redhat.com/errata/RHSA-2018:2669","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/errata/RHSA-2018:2669"},{"reference_url":"https://access.redhat.com/errata/RHSA-2018:2939","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/errata/RHSA-2018:2939"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-1271.json","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-1271.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-1271","reference_id":"","reference_type":"","scores":[{"value":"0.90599","scoring_system":"epss","scoring_elements":"0.9962","published_at":"2026-04-26T12:55:00Z"},{"value":"0.90599","scoring_system":"epss","scoring_elements":"0.99617","published_at":"2026-04-18T12:55:00Z"},{"value":"0.90599","scoring_system":"epss","scoring_elements":"0.99616","published_at":"2026-04-13T12:55:00Z"},{"value":"0.90599","scoring_system":"epss","scoring_elements":"0.99615","published_at":"2026-04-09T12:55:00Z"},{"value":"0.90599","scoring_system":"epss","scoring_elements":"0.99614","published_at":"2026-04-04T12:55:00Z"},{"value":"0.90599","scoring_system":"epss","scoring_elements":"0.99622","published_at":"2026-04-29T12:55:00Z"},{"value":"0.90599","scoring_system":"epss","scoring_elements":"0.99613","published_at":"2026-04-02T12:55:00Z"},{"value":"0.90599","scoring_system":"epss","scoring_elements":"0.99619","published_at":"2026-04-21T12:55:00Z"},{"value":"0.90996","scoring_system":"epss","scoring_elements":"0.99643","published_at":"2026-05-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-1271"},{"reference_url":"https://github.com/spring-projects/spring-framework/commit/0e28bee0f155b9bf240b4bafc4646e4810cb23f","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/spring-projects/spring-framework/commit/0e28bee0f155b9bf240b4bafc4646e4810cb23f"},{"reference_url":"https://github.com/spring-projects/spring-framework/commit/0e28bee0f155b9bf240b4bafc4646e4810cb23f8","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-framework/commit/0e28bee0f155b9bf240b4bafc4646e4810cb23f8"},{"reference_url":"https://github.com/spring-projects/spring-framework/commit/13356a7ee2240f740737c5c83bdccdacc30603a","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/spring-projects/spring-framework/commit/13356a7ee2240f740737c5c83bdccdacc30603a"},{"reference_url":"https://github.com/spring-projects/spring-framework/commit/13356a7ee2240f740737c5c83bdccdacc30603ab","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-framework/commit/13356a7ee2240f740737c5c83bdccdacc30603ab"},{"reference_url":"https://github.com/spring-projects/spring-framework/commit/695bf2961feffd35b5560ccc982a2189dcca611","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/spring-projects/spring-framework/commit/695bf2961feffd35b5560ccc982a2189dcca611"},{"reference_url":"https://github.com/spring-projects/spring-framework/commit/695bf2961feffd35b5560ccc982a2189dcca611f","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-framework/commit/695bf2961feffd35b5560ccc982a2189dcca611f"},{"reference_url":"https://github.com/spring-projects/spring-framework/commit/91b803a2310344d925e5d4b1709bbcea9037554","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/spring-projects/spring-framework/commit/91b803a2310344d925e5d4b1709bbcea9037554"},{"reference_url":"https://github.com/spring-projects/spring-framework/commit/91b803a2310344d925e5d4b1709bbcea90375548","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-framework/commit/91b803a2310344d925e5d4b1709bbcea90375548"},{"reference_url":"https://github.com/spring-projects/spring-framework/commit/98ad23bef8e2e04143f8f5b201380543a8d8c0c","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/spring-projects/spring-framework/commit/98ad23bef8e2e04143f8f5b201380543a8d8c0c"},{"reference_url":"https://github.com/spring-projects/spring-framework/commit/98ad23bef8e2e04143f8f5b201380543a8d8c0c3","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-framework/commit/98ad23bef8e2e04143f8f5b201380543a8d8c0c3"},{"reference_url":"https://github.com/spring-projects/spring-framework/commit/b9ebdaaf3710db473a2e1fec8641c316483a22a","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/spring-projects/spring-framework/commit/b9ebdaaf3710db473a2e1fec8641c316483a22a"},{"reference_url":"https://github.com/spring-projects/spring-framework/commit/b9ebdaaf3710db473a2e1fec8641c316483a22aa","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-framework/commit/b9ebdaaf3710db473a2e1fec8641c316483a22aa"},{"reference_url":"https://github.com/spring-projects/spring-framework/commit/f046a066eceefa0799d1bc89bd6e1318f39bdf69","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-framework/commit/f046a066eceefa0799d1bc89bd6e1318f39bdf69"},{"reference_url":"https://github.com/spring-projects/spring-framework/commit/f59ea610dfcf55cd0b42f6dd76a9b3dab0218aa","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/spring-projects/spring-framework/commit/f59ea610dfcf55cd0b42f6dd76a9b3dab0218aa"},{"reference_url":"https://github.com/spring-projects/spring-framework/commit/f59ea610dfcf55cd0b42f6dd76a9b3dab0218aaa","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-framework/commit/f59ea610dfcf55cd0b42f6dd76a9b3dab0218aaa"},{"reference_url":"https://www.oracle.com/security-alerts/cpujul2020.html","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpujul2020.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpuoct2021.html","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpuoct2021.html"},{"reference_url":"https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"},{"reference_url":"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"},{"reference_url":"http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"},{"reference_url":"http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"},{"reference_url":"http://www.securityfocus.com/bid/103699","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.securityfocus.com/bid/103699"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1571050","reference_id":"1571050","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1571050"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1271","reference_id":"CVE-2018-1271","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1271"},{"reference_url":"https://pivotal.io/security/cve-2018-1271","reference_id":"CVE-2018-1271","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://pivotal.io/security/cve-2018-1271"},{"reference_url":"https://github.com/advisories/GHSA-g8hw-794c-4j9g","reference_id":"GHSA-g8hw-794c-4j9g","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-g8hw-794c-4j9g"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/27465?format=json","purl":"pkg:maven/org.springframework/spring-webmvc@4.3.15.RELEASE","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-cyjt-4vjn-mbc7"},{"vulnerability":"VCID-pht6-8af8-b3f2"},{"vulnerability":"VCID-y3uz-etva-sufh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-webmvc@4.3.15.RELEASE"},{"url":"http://public2.vulnerablecode.io/api/packages/27464?format=json","purl":"pkg:maven/org.springframework/spring-webmvc@5.0.5.RELEASE","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-cyjt-4vjn-mbc7"},{"vulnerability":"VCID-pht6-8af8-b3f2"},{"vulnerability":"VCID-u7kk-c6fm-judy"},{"vulnerability":"VCID-y3uz-etva-sufh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-webmvc@5.0.5.RELEASE"}],"aliases":["CVE-2018-1271","GHSA-g8hw-794c-4j9g"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fv26-nhx4-dqd3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/4964?format=json","vulnerability_id":"VCID-j3wr-npbv-8qcw","summary":"An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks.","references":[{"reference_url":"https://access.redhat.com/errata/RHSA-2017:3115","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/errata/RHSA-2017:3115"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-9878.json","reference_id":"","reference_type":"","scores":[{"value":"5.6","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-9878.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2016-9878","reference_id":"","reference_type":"","scores":[{"value":"0.03689","scoring_system":"epss","scoring_elements":"0.87943","published_at":"2026-04-11T12:55:00Z"},{"value":"0.03689","scoring_system":"epss","scoring_elements":"0.87936","published_at":"2026-04-12T12:55:00Z"},{"value":"0.04927","scoring_system":"epss","scoring_elements":"0.89596","published_at":"2026-04-04T12:55:00Z"},{"value":"0.04927","scoring_system":"epss","scoring_elements":"0.89659","published_at":"2026-05-05T12:55:00Z"},{"value":"0.04927","scoring_system":"epss","scoring_elements":"0.8958","published_at":"2026-04-01T12:55:00Z"},{"value":"0.04927","scoring_system":"epss","scoring_elements":"0.89583","published_at":"2026-04-02T12:55:00Z"},{"value":"0.04927","scoring_system":"epss","scoring_elements":"0.89619","published_at":"2026-04-09T12:55:00Z"},{"value":"0.04927","scoring_system":"epss","scoring_elements":"0.89613","published_at":"2026-04-08T12:55:00Z"},{"value":"0.04927","scoring_system":"epss","scoring_elements":"0.89597","published_at":"2026-04-07T12:55:00Z"},{"value":"0.05056","scoring_system":"epss","scoring_elements":"0.89794","published_at":"2026-04-18T12:55:00Z"},{"value":"0.05056","scoring_system":"epss","scoring_elements":"0.89788","published_at":"2026-04-21T12:55:00Z"},{"value":"0.05056","scoring_system":"epss","scoring_elements":"0.89803","published_at":"2026-04-29T12:55:00Z"},{"value":"0.05056","scoring_system":"epss","scoring_elements":"0.89804","published_at":"2026-04-26T12:55:00Z"},{"value":"0.05629","scoring_system":"epss","scoring_elements":"0.90359","published_at":"2026-04-16T12:55:00Z"},{"value":"0.05629","scoring_system":"epss","scoring_elements":"0.90343","published_at":"2026-04-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2016-9878"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9878","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9878"},{"reference_url":"https://github.com/spring-projects/spring-framework","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-framework"},{"reference_url":"https://github.com/spring-projects/spring-framework/commit/43bf008fbcd0d7945e2fcd5e30039bc4d74c7a98","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-framework/commit/43bf008fbcd0d7945e2fcd5e30039bc4d74c7a98"},{"reference_url":"https://github.com/spring-projects/spring-framework/commit/a7dc48534ea501525f11369d369178a60c2f47d0","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-framework/commit/a7dc48534ea501525f11369d369178a60c2f47d0"},{"reference_url":"https://github.com/spring-projects/spring-framework/commit/e2d6e709c3c65a4951eb096843ee75d5200cfcad","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-framework/commit/e2d6e709c3c65a4951eb096843ee75d5200cfcad"},{"reference_url":"https://github.com/spring-projects/spring-framework/issues/19513","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-framework/issues/19513"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2019/07/msg00012.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2019/07/msg00012.html"},{"reference_url":"https://security.netapp.com/advisory/ntap-20180419-0002","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20180419-0002"},{"reference_url":"https://security.netapp.com/advisory/ntap-20180419-0002/","reference_id":"","reference_type":"","scores":[],"url":"https://security.netapp.com/advisory/ntap-20180419-0002/"},{"reference_url":"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"},{"reference_url":"http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"},{"reference_url":"http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html"},{"reference_url":"http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"},{"reference_url":"http://www.securityfocus.com/bid/95072","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.securityfocus.com/bid/95072"},{"reference_url":"http://www.securitytracker.com/id/1040698","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.securitytracker.com/id/1040698"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1408164","reference_id":"1408164","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1408164"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=849167","reference_id":"849167","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=849167"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2016-9878","reference_id":"CVE-2016-9878","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2016-9878"},{"reference_url":"https://pivotal.io/security/cve-2016-9878","reference_id":"CVE-2016-9878","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://pivotal.io/security/cve-2016-9878"},{"reference_url":"https://github.com/advisories/GHSA-2m8h-fgr8-2q9w","reference_id":"GHSA-2m8h-fgr8-2q9w","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2m8h-fgr8-2q9w"},{"reference_url":"https://usn.ubuntu.com/USN-4774-1/","reference_id":"USN-USN-4774-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/USN-4774-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/77910?format=json","purl":"pkg:maven/org.springframework/spring-webmvc@3.2.18","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-webmvc@3.2.18"},{"url":"http://public2.vulnerablecode.io/api/packages/23523?format=json","purl":"pkg:maven/org.springframework/spring-webmvc@3.2.18.RELEASE","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-cyjt-4vjn-mbc7"},{"vulnerability":"VCID-fv26-nhx4-dqd3"},{"vulnerability":"VCID-pb7f-yasx-17ag"},{"vulnerability":"VCID-y3uz-etva-sufh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-webmvc@3.2.18.RELEASE"},{"url":"http://public2.vulnerablecode.io/api/packages/77911?format=json","purl":"pkg:maven/org.springframework/spring-webmvc@4.2.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-y3uz-etva-sufh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-webmvc@4.2.9"},{"url":"http://public2.vulnerablecode.io/api/packages/27461?format=json","purl":"pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-cyjt-4vjn-mbc7"},{"vulnerability":"VCID-fv26-nhx4-dqd3"},{"vulnerability":"VCID-pb7f-yasx-17ag"},{"vulnerability":"VCID-pht6-8af8-b3f2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE"},{"url":"http://public2.vulnerablecode.io/api/packages/23524?format=json","purl":"pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE.4.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE.4.2"},{"url":"http://public2.vulnerablecode.io/api/packages/77912?format=json","purl":"pkg:maven/org.springframework/spring-webmvc@4.3.5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-webmvc@4.3.5"},{"url":"http://public2.vulnerablecode.io/api/packages/23525?format=json","purl":"pkg:maven/org.springframework/spring-webmvc@4.3.5.RELEASE","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-cyjt-4vjn-mbc7"},{"vulnerability":"VCID-fv26-nhx4-dqd3"},{"vulnerability":"VCID-pb7f-yasx-17ag"},{"vulnerability":"VCID-pht6-8af8-b3f2"},{"vulnerability":"VCID-y3uz-etva-sufh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-webmvc@4.3.5.RELEASE"}],"aliases":["CVE-2016-9878","GHSA-2m8h-fgr8-2q9w"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-j3wr-npbv-8qcw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/4711?format=json","vulnerability_id":"VCID-pb7f-yasx-17ag","summary":"Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.","references":[{"reference_url":"https://access.redhat.com/errata/RHSA-2018:1320","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/errata/RHSA-2018:1320"},{"reference_url":"https://access.redhat.com/errata/RHSA-2018:2669","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/errata/RHSA-2018:2669"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-1272.json","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-1272.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-1272","reference_id":"","reference_type":"","scores":[{"value":"0.02166","scoring_system":"epss","scoring_elements":"0.84329","published_at":"2026-04-21T12:55:00Z"},{"value":"0.02166","scoring_system":"epss","scoring_elements":"0.84327","published_at":"2026-04-18T12:55:00Z"},{"value":"0.02166","scoring_system":"epss","scoring_elements":"0.84326","published_at":"2026-04-16T12:55:00Z"},{"value":"0.02166","scoring_system":"epss","scoring_elements":"0.84304","published_at":"2026-04-13T12:55:00Z"},{"value":"0.02166","scoring_system":"epss","scoring_elements":"0.84307","published_at":"2026-04-12T12:55:00Z"},{"value":"0.02166","scoring_system":"epss","scoring_elements":"0.84313","published_at":"2026-04-11T12:55:00Z"},{"value":"0.02166","scoring_system":"epss","scoring_elements":"0.84388","published_at":"2026-05-05T12:55:00Z"},{"value":"0.02166","scoring_system":"epss","scoring_elements":"0.84369","published_at":"2026-04-29T12:55:00Z"},{"value":"0.02166","scoring_system":"epss","scoring_elements":"0.84364","published_at":"2026-04-26T12:55:00Z"},{"value":"0.02166","scoring_system":"epss","scoring_elements":"0.84356","published_at":"2026-04-24T12:55:00Z"},{"value":"0.02166","scoring_system":"epss","scoring_elements":"0.84268","published_at":"2026-04-07T12:55:00Z"},{"value":"0.02166","scoring_system":"epss","scoring_elements":"0.84266","published_at":"2026-04-04T12:55:00Z"},{"value":"0.02166","scoring_system":"epss","scoring_elements":"0.84247","published_at":"2026-04-02T12:55:00Z"},{"value":"0.02166","scoring_system":"epss","scoring_elements":"0.84235","published_at":"2026-04-01T12:55:00Z"},{"value":"0.02166","scoring_system":"epss","scoring_elements":"0.84295","published_at":"2026-04-09T12:55:00Z"},{"value":"0.02166","scoring_system":"epss","scoring_elements":"0.8429","published_at":"2026-04-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-1272"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1272","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1272"},{"reference_url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/141286","reference_id":"","reference_type":"","scores":[],"url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/141286"},{"reference_url":"https://github.com/spring-projects/spring-framework/commit/ab2410c754b67902f002bfcc0c3895bd7772d39","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-framework/commit/ab2410c754b67902f002bfcc0c3895bd7772d39"},{"reference_url":"https://github.com/spring-projects/spring-framework/commit/e02ff3a0da50744b0980d5d665fd242eedea767","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-framework/commit/e02ff3a0da50744b0980d5d665fd242eedea767"},{"reference_url":"https://www.oracle.com/security-alerts/cpujul2020.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpujul2020.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpuoct2021.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpuoct2021.html"},{"reference_url":"https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"},{"reference_url":"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"},{"reference_url":"http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"},{"reference_url":"http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"},{"reference_url":"http://www.securityfocus.com/bid/103697","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.securityfocus.com/bid/103697"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1564408","reference_id":"1564408","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1564408"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895114","reference_id":"895114","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895114"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1272","reference_id":"CVE-2018-1272","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1272"},{"reference_url":"https://pivotal.io/security/cve-2018-1272","reference_id":"CVE-2018-1272","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://pivotal.io/security/cve-2018-1272"},{"reference_url":"https://github.com/advisories/GHSA-4487-x383-qpph","reference_id":"GHSA-4487-x383-qpph","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4487-x383-qpph"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/27465?format=json","purl":"pkg:maven/org.springframework/spring-webmvc@4.3.15.RELEASE","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-cyjt-4vjn-mbc7"},{"vulnerability":"VCID-pht6-8af8-b3f2"},{"vulnerability":"VCID-y3uz-etva-sufh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-webmvc@4.3.15.RELEASE"},{"url":"http://public2.vulnerablecode.io/api/packages/27464?format=json","purl":"pkg:maven/org.springframework/spring-webmvc@5.0.5.RELEASE","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-cyjt-4vjn-mbc7"},{"vulnerability":"VCID-pht6-8af8-b3f2"},{"vulnerability":"VCID-u7kk-c6fm-judy"},{"vulnerability":"VCID-y3uz-etva-sufh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-webmvc@5.0.5.RELEASE"}],"aliases":["CVE-2018-1272","GHSA-4487-x383-qpph"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-pb7f-yasx-17ag"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/4924?format=json","vulnerability_id":"VCID-r384-aque-vqcw","summary":"When processing user provided XML documents, the Spring Framework 4.0.0 to 4.0.4, 3.0.0 to 3.2.8, and possibly earlier unsupported versions did not disable by default the resolution of URI references in a DTD declaration. This enabled an XXE attack.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-0225.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-0225.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2014-0225","reference_id":"","reference_type":"","scores":[{"value":"0.00236","scoring_system":"epss","scoring_elements":"0.46351","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00236","scoring_system":"epss","scoring_elements":"0.46438","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00236","scoring_system":"epss","scoring_elements":"0.46478","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00236","scoring_system":"epss","scoring_elements":"0.46498","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00236","scoring_system":"epss","scoring_elements":"0.46447","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00236","scoring_system":"epss","scoring_elements":"0.46502","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00236","scoring_system":"epss","scoring_elements":"0.46526","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00236","scoring_system":"epss","scoring_elements":"0.46497","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00236","scoring_system":"epss","scoring_elements":"0.46506","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00236","scoring_system":"epss","scoring_elements":"0.46563","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00236","scoring_system":"epss","scoring_elements":"0.46561","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00236","scoring_system":"epss","scoring_elements":"0.46508","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00236","scoring_system":"epss","scoring_elements":"0.46489","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00236","scoring_system":"epss","scoring_elements":"0.46499","published_at":"2026-04-26T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2014-0225"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0225","reference_id":"","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0225"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0225","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0225"},{"reference_url":"https://github.com/spring-projects/spring-framework/commit/44ee51a6c9c3734b3fcf9a20817117e86047d753","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-framework/commit/44ee51a6c9c3734b3fcf9a20817117e86047d753"},{"reference_url":"https://github.com/spring-projects/spring-framework/commit/8e096aeef55287dc829484996c9330cf755891a1","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-framework/commit/8e096aeef55287dc829484996c9330cf755891a1"},{"reference_url":"https://github.com/spring-projects/spring-framework/commit/c6503ebbf7c9e21ff022c58706dbac5417b2b5eb","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-framework/commit/c6503ebbf7c9e21ff022c58706dbac5417b2b5eb"},{"reference_url":"https://jira.spring.io/browse/SPR-11768","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://jira.spring.io/browse/SPR-11768"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1110110","reference_id":"1110110","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1110110"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=753470","reference_id":"753470","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=753470"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2014-0225","reference_id":"CVE-2014-0225","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2014-0225"},{"reference_url":"https://pivotal.io/security/cve-2014-0225","reference_id":"CVE-2014-0225","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://pivotal.io/security/cve-2014-0225"},{"reference_url":"http://www.gopivotal.com/security/cve-2014-0225","reference_id":"CVE-2014-0225","reference_type":"","scores":[],"url":"http://www.gopivotal.com/security/cve-2014-0225"},{"reference_url":"https://github.com/advisories/GHSA-f93f-g33r-8pcp","reference_id":"GHSA-f93f-g33r-8pcp","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-f93f-g33r-8pcp"},{"reference_url":"https://access.redhat.com/errata/RHSA-2014:1351","reference_id":"RHSA-2014:1351","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2014:1351"},{"reference_url":"https://usn.ubuntu.com/USN-4774-1/","reference_id":"USN-USN-4774-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/USN-4774-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/52869?format=json","purl":"pkg:maven/org.springframework/spring-webmvc@3.2.8","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-webmvc@3.2.8"},{"url":"http://public2.vulnerablecode.io/api/packages/20599?format=json","purl":"pkg:maven/org.springframework/spring-webmvc@3.2.8.RELEASE","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-53gt-nbgk-hyc2"},{"vulnerability":"VCID-9v66-xp9z-8kea"},{"vulnerability":"VCID-cyjt-4vjn-mbc7"},{"vulnerability":"VCID-fv26-nhx4-dqd3"},{"vulnerability":"VCID-j3wr-npbv-8qcw"},{"vulnerability":"VCID-pb7f-yasx-17ag"},{"vulnerability":"VCID-y3uz-etva-sufh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-webmvc@3.2.8.RELEASE"},{"url":"http://public2.vulnerablecode.io/api/packages/52871?format=json","purl":"pkg:maven/org.springframework/spring-webmvc@4.0.5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-webmvc@4.0.5"},{"url":"http://public2.vulnerablecode.io/api/packages/21014?format=json","purl":"pkg:maven/org.springframework/spring-webmvc@4.0.5.RELEASE","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9v66-xp9z-8kea"},{"vulnerability":"VCID-cyjt-4vjn-mbc7"},{"vulnerability":"VCID-fv26-nhx4-dqd3"},{"vulnerability":"VCID-pb7f-yasx-17ag"},{"vulnerability":"VCID-y3uz-etva-sufh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-webmvc@4.0.5.RELEASE"}],"aliases":["CVE-2014-0225","GHSA-f93f-g33r-8pcp"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-r384-aque-vqcw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/4841?format=json","vulnerability_id":"VCID-vkf8-5z5m-wqc7","summary":"The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.","references":[{"reference_url":"http://rhn.redhat.com/errata/RHSA-2014-0400.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://rhn.redhat.com/errata/RHSA-2014-0400.html"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-0054.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-0054.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2014-0054","reference_id":"","reference_type":"","scores":[{"value":"0.02548","scoring_system":"epss","scoring_elements":"0.85551","published_at":"2026-05-05T12:55:00Z"},{"value":"0.02548","scoring_system":"epss","scoring_elements":"0.85482","published_at":"2026-04-12T12:55:00Z"},{"value":"0.02548","scoring_system":"epss","scoring_elements":"0.85478","published_at":"2026-04-13T12:55:00Z"},{"value":"0.02548","scoring_system":"epss","scoring_elements":"0.85502","published_at":"2026-04-16T12:55:00Z"},{"value":"0.02548","scoring_system":"epss","scoring_elements":"0.85507","published_at":"2026-04-18T12:55:00Z"},{"value":"0.02548","scoring_system":"epss","scoring_elements":"0.85503","published_at":"2026-04-21T12:55:00Z"},{"value":"0.02548","scoring_system":"epss","scoring_elements":"0.85525","published_at":"2026-04-24T12:55:00Z"},{"value":"0.02548","scoring_system":"epss","scoring_elements":"0.85535","published_at":"2026-04-26T12:55:00Z"},{"value":"0.02548","scoring_system":"epss","scoring_elements":"0.85534","published_at":"2026-04-29T12:55:00Z"},{"value":"0.02548","scoring_system":"epss","scoring_elements":"0.85405","published_at":"2026-04-01T12:55:00Z"},{"value":"0.02548","scoring_system":"epss","scoring_elements":"0.85417","published_at":"2026-04-02T12:55:00Z"},{"value":"0.02548","scoring_system":"epss","scoring_elements":"0.85437","published_at":"2026-04-04T12:55:00Z"},{"value":"0.02548","scoring_system":"epss","scoring_elements":"0.8544","published_at":"2026-04-07T12:55:00Z"},{"value":"0.02548","scoring_system":"epss","scoring_elements":"0.85461","published_at":"2026-04-08T12:55:00Z"},{"value":"0.02548","scoring_system":"epss","scoring_elements":"0.85469","published_at":"2026-04-09T12:55:00Z"},{"value":"0.02548","scoring_system":"epss","scoring_elements":"0.85484","published_at":"2026-04-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2014-0054"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0054","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0054"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1904","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1904"},{"reference_url":"https://github.com/spring-projects/spring-framework/commit/1a8629d40825c073b6863ae2ab748b647b28506a","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-framework/commit/1a8629d40825c073b6863ae2ab748b647b28506a"},{"reference_url":"https://github.com/spring-projects/spring-framework/commit/1c5cab2a4069ec3239c531d741aeb07a434f521b","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-framework/commit/1c5cab2a4069ec3239c531d741aeb07a434f521b"},{"reference_url":"https://github.com/spring-projects/spring-framework/commit/edba32b3093703d5e9ed42b5b8ec23ecc1998398","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-framework/commit/edba32b3093703d5e9ed42b5b8ec23ecc1998398"},{"reference_url":"https://github.com/spring-projects/spring-framework/commit/fb0683c066e74e9667d6cd8c5fa01f674c68c3be","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-framework/commit/fb0683c066e74e9667d6cd8c5fa01f674c68c3be"},{"reference_url":"https://github.com/spring-projects/spring-framework/issues/16003","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-framework/issues/16003"},{"reference_url":"https://jira.spring.io/browse/SPR-11376","reference_id":"","reference_type":"","scores":[],"url":"https://jira.spring.io/browse/SPR-11376"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2014-0054","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2014-0054"},{"reference_url":"http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0054","reference_id":"","reference_type":"","scores":[],"url":"http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0054"},{"reference_url":"http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1075328","reference_id":"1075328","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1075328"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=741604","reference_id":"741604","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=741604"},{"reference_url":"http://www.pivotal.io/security/cve-2014-0054","reference_id":"CVE-2014-0054","reference_type":"","scores":[],"url":"http://www.pivotal.io/security/cve-2014-0054"},{"reference_url":"https://github.com/advisories/GHSA-8cmm-qj8g-fcp6","reference_id":"GHSA-8cmm-qj8g-fcp6","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8cmm-qj8g-fcp6"},{"reference_url":"https://access.redhat.com/errata/RHSA-2014:0400","reference_id":"RHSA-2014:0400","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2014:0400"},{"reference_url":"https://access.redhat.com/errata/RHSA-2014:0401","reference_id":"RHSA-2014:0401","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2014:0401"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/52869?format=json","purl":"pkg:maven/org.springframework/spring-webmvc@3.2.8","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-webmvc@3.2.8"},{"url":"http://public2.vulnerablecode.io/api/packages/20599?format=json","purl":"pkg:maven/org.springframework/spring-webmvc@3.2.8.RELEASE","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-53gt-nbgk-hyc2"},{"vulnerability":"VCID-9v66-xp9z-8kea"},{"vulnerability":"VCID-cyjt-4vjn-mbc7"},{"vulnerability":"VCID-fv26-nhx4-dqd3"},{"vulnerability":"VCID-j3wr-npbv-8qcw"},{"vulnerability":"VCID-pb7f-yasx-17ag"},{"vulnerability":"VCID-y3uz-etva-sufh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-webmvc@3.2.8.RELEASE"},{"url":"http://public2.vulnerablecode.io/api/packages/81945?format=json","purl":"pkg:maven/org.springframework/spring-webmvc@4.0.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-webmvc@4.0.2"},{"url":"http://public2.vulnerablecode.io/api/packages/20600?format=json","purl":"pkg:maven/org.springframework/spring-webmvc@4.0.2.RELEASE","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-53gt-nbgk-hyc2"},{"vulnerability":"VCID-9v66-xp9z-8kea"},{"vulnerability":"VCID-cyjt-4vjn-mbc7"},{"vulnerability":"VCID-fv26-nhx4-dqd3"},{"vulnerability":"VCID-pb7f-yasx-17ag"},{"vulnerability":"VCID-r384-aque-vqcw"},{"vulnerability":"VCID-y3uz-etva-sufh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-webmvc@4.0.2.RELEASE"}],"aliases":["CVE-2014-0054","GHSA-8cmm-qj8g-fcp6"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vkf8-5z5m-wqc7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/35096?format=json","vulnerability_id":"VCID-y3uz-etva-sufh","summary":"Improper Input Validation in Spring Framework\nIn Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-5421.json","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-5421.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-5421","reference_id":"","reference_type":"","scores":[{"value":"0.63828","scoring_system":"epss","scoring_elements":"0.98439","published_at":"2026-05-05T12:55:00Z"},{"value":"0.63828","scoring_system":"epss","scoring_elements":"0.98434","published_at":"2026-04-29T12:55:00Z"},{"value":"0.63828","scoring_system":"epss","scoring_elements":"0.98431","published_at":"2026-04-21T12:55:00Z"},{"value":"0.63828","scoring_system":"epss","scoring_elements":"0.98432","published_at":"2026-04-16T12:55:00Z"},{"value":"0.63828","scoring_system":"epss","scoring_elements":"0.98427","published_at":"2026-04-13T12:55:00Z"},{"value":"0.63828","scoring_system":"epss","scoring_elements":"0.98424","published_at":"2026-04-09T12:55:00Z"},{"value":"0.63828","scoring_system":"epss","scoring_elements":"0.98423","published_at":"2026-04-08T12:55:00Z"},{"value":"0.63828","scoring_system":"epss","scoring_elements":"0.9842","published_at":"2026-04-07T12:55:00Z"},{"value":"0.63828","scoring_system":"epss","scoring_elements":"0.98417","published_at":"2026-04-04T12:55:00Z"},{"value":"0.63828","scoring_system":"epss","scoring_elements":"0.98414","published_at":"2026-04-02T12:55:00Z"},{"value":"0.63828","scoring_system":"epss","scoring_elements":"0.98412","published_at":"2026-04-01T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-5421"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5421","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5421"},{"reference_url":"https://lists.apache.org/thread.html/r1c679c43fa4f7846d748a937955c7921436d1b315445978254442163@%3Ccommits.ambari.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r1c679c43fa4f7846d748a937955c7921436d1b315445978254442163@%3Ccommits.ambari.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r1eccdbd7986618a7319ee7a533bd9d9bf6e8678e59dd4cca9b5b2d7a@%3Cissues.ambari.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r1eccdbd7986618a7319ee7a533bd9d9bf6e8678e59dd4cca9b5b2d7a@%3Cissues.ambari.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r3589ed0d18edeb79028615080d5a0e8878856436bb91774a3196d9eb@%3Ccommits.pulsar.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r3589ed0d18edeb79028615080d5a0e8878856436bb91774a3196d9eb@%3Ccommits.pulsar.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r503e64b43a57fd68229cac4a869d1a9a2eac9e75f8719cad3a840211@%3Ccommits.pulsar.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r503e64b43a57fd68229cac4a869d1a9a2eac9e75f8719cad3a840211@%3Ccommits.pulsar.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r5c95eff679dfc642e9e4ab5ac6d202248a59cb1e9457cfbe8b729ac5@%3Cissues.ambari.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r5c95eff679dfc642e9e4ab5ac6d202248a59cb1e9457cfbe8b729ac5@%3Cissues.ambari.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r7e6a213eea7f04fc6d9e3bd6eb8d68c4df92a22e956e95cb2c482865@%3Cissues.hive.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r7e6a213eea7f04fc6d9e3bd6eb8d68c4df92a22e956e95cb2c482865@%3Cissues.hive.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r8b496b1743d128e6861ee0ed3c3c48cc56c505b38f84fa5baf7ae33a@%3Cdev.ambari.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r8b496b1743d128e6861ee0ed3c3c48cc56c505b38f84fa5baf7ae33a@%3Cdev.ambari.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r918caad55dcc640a16753b00d8d6acb90b4e36de4b6156d0867246ec@%3Ccommits.pulsar.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r918caad55dcc640a16753b00d8d6acb90b4e36de4b6156d0867246ec@%3Ccommits.pulsar.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r9f13cccb214495e14648d2c9b8f2c6072fd5219e74502dd35ede81e1@%3Cdev.ambari.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r9f13cccb214495e14648d2c9b8f2c6072fd5219e74502dd35ede81e1@%3Cdev.ambari.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/ra889d95141059c6cbe77dd80249bb488ae53b274b5f3abad09d9511d@%3Cuser.ignite.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/ra889d95141059c6cbe77dd80249bb488ae53b274b5f3abad09d9511d@%3Cuser.ignite.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/raf7ca57033e537e4f9d7df7f192fa6968c1e49409b2348e08d807ccb@%3Cuser.ignite.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/raf7ca57033e537e4f9d7df7f192fa6968c1e49409b2348e08d807ccb@%3Cuser.ignite.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/rb18ed999153ef0f0cb7af03efe0046c42c7242fd77fbd884a75ecfdc@%3Ccommits.pulsar.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/rb18ed999153ef0f0cb7af03efe0046c42c7242fd77fbd884a75ecfdc@%3Ccommits.pulsar.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/rc9efaf6db98bee19db1bc911d0fa442287dac5cb229d4aaa08b6a13d@%3Cissues.hive.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/rc9efaf6db98bee19db1bc911d0fa442287dac5cb229d4aaa08b6a13d@%3Cissues.hive.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/rd462a8b0dfab4c15e67c0672cd3c211ecd0e4f018f824082ed54f665@%3Cissues.hive.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/rd462a8b0dfab4c15e67c0672cd3c211ecd0e4f018f824082ed54f665@%3Cissues.hive.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/re014a49d77f038ba70e5e9934d400af6653e8c9ac110d32b1254127e@%3Cdev.ranger.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/re014a49d77f038ba70e5e9934d400af6653e8c9ac110d32b1254127e@%3Cdev.ranger.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/rf00d8f4101a1c1ea4de6ea1e09ddf7472cfd306745c90d6da87ae074@%3Cdev.hive.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/rf00d8f4101a1c1ea4de6ea1e09ddf7472cfd306745c90d6da87ae074@%3Cdev.hive.apache.org%3E"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-5421","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-5421"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210513-0009","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20210513-0009"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210513-0009/","reference_id":"","reference_type":"","scores":[],"url":"https://security.netapp.com/advisory/ntap-20210513-0009/"},{"reference_url":"https://tanzu.vmware.com/security/cve-2020-5421","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://tanzu.vmware.com/security/cve-2020-5421"},{"reference_url":"https://www.oracle.com/security-alerts/cpuApr2021.html","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpuapr2022.html","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpujan2021.html","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpujan2022.html","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"reference_url":"https://www.oracle.com//security-alerts/cpujul2021.html","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpuoct2021.html","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpuoct2021.html"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1881158","reference_id":"1881158","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1881158"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=973381","reference_id":"973381","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=973381"},{"reference_url":"https://github.com/advisories/GHSA-rv39-3qh7-9v7w","reference_id":"GHSA-rv39-3qh7-9v7w","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rv39-3qh7-9v7w"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/27461?format=json","purl":"pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-cyjt-4vjn-mbc7"},{"vulnerability":"VCID-fv26-nhx4-dqd3"},{"vulnerability":"VCID-pb7f-yasx-17ag"},{"vulnerability":"VCID-pht6-8af8-b3f2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE"},{"url":"http://public2.vulnerablecode.io/api/packages/215217?format=json","purl":"pkg:maven/org.springframework/spring-webmvc@4.3.28.RELEASE","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-cyjt-4vjn-mbc7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-webmvc@4.3.28.RELEASE"},{"url":"http://public2.vulnerablecode.io/api/packages/291918?format=json","purl":"pkg:maven/org.springframework/spring-webmvc@4.3.29.RELEASE","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-cyjt-4vjn-mbc7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-webmvc@4.3.29.RELEASE"},{"url":"http://public2.vulnerablecode.io/api/packages/215219?format=json","purl":"pkg:maven/org.springframework/spring-webmvc@5.0.18.RELEASE","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-cyjt-4vjn-mbc7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-webmvc@5.0.18.RELEASE"},{"url":"http://public2.vulnerablecode.io/api/packages/291920?format=json","purl":"pkg:maven/org.springframework/spring-webmvc@5.0.19.RELEASE","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-cyjt-4vjn-mbc7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-webmvc@5.0.19.RELEASE"},{"url":"http://public2.vulnerablecode.io/api/packages/215223?format=json","purl":"pkg:maven/org.springframework/spring-webmvc@5.1.17.RELEASE","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-cyjt-4vjn-mbc7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-webmvc@5.1.17.RELEASE"},{"url":"http://public2.vulnerablecode.io/api/packages/291922?format=json","purl":"pkg:maven/org.springframework/spring-webmvc@5.1.18.RELEASE","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-cyjt-4vjn-mbc7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-webmvc@5.1.18.RELEASE"},{"url":"http://public2.vulnerablecode.io/api/packages/215228?format=json","purl":"pkg:maven/org.springframework/spring-webmvc@5.2.8.RELEASE","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-cyjt-4vjn-mbc7"},{"vulnerability":"VCID-dy4t-tm9m-rfex"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-webmvc@5.2.8.RELEASE"},{"url":"http://public2.vulnerablecode.io/api/packages/291925?format=json","purl":"pkg:maven/org.springframework/spring-webmvc@5.2.9.RELEASE","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-cyjt-4vjn-mbc7"},{"vulnerability":"VCID-dy4t-tm9m-rfex"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-webmvc@5.2.9.RELEASE"}],"aliases":["CVE-2020-5421","GHSA-rv39-3qh7-9v7w"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-y3uz-etva-sufh"}],"fixing_vulnerabilities":[],"risk_score":"10.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-webmvc@3.2.6.RELEASE"}