Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:maven/org.springframework.security/spring-security-core@5.8.24
purl pkg:maven/org.springframework.security/spring-security-core@5.8.24
Tags Ghost
Next non-vulnerable version 6.2.8
Latest non-vulnerable version 7.0.5
Risk 1.6
Vulnerabilities affecting this package (1)
Vulnerability Summary Fixed by
VCID-bxeh-gaxy-6uch
Aliases:
CVE-2026-22746
GHSA-vxf7-qj7q-83fh
Vulnerability in Spring Spring Security. If an application is using the UserDetails#isEnabled, #isAccountNonExpired, or #isAccountNonLocked user attributes, to enable, expire, or lock users, then DaoAuthenticationProvider's timing attack defense can be bypassed for users who are disabled, expired, or locked.This issue affects Spring Security: from 5.7.0 through 5.7.22, from 5.8.0 through 5.8.24, from 6.3.0 through 6.3.15, from 6.5.0 through 6.5.9, from 7.0.0 through 7.0.4.
6.5.10
Affected by 0 other vulnerabilities.
7.0.5
Affected by 0 other vulnerabilities.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2026-05-01T20:52:13.045093+00:00 GHSA Importer Affected by VCID-bxeh-gaxy-6uch https://github.com/advisories/GHSA-vxf7-qj7q-83fh 38.6.0