CVE-2026-22737

MEDIUM5.9EPSS 0.10%

Spring Framework Improper Path Limitation with Script View Templates

Published: 3/20/2026Modified: 3/26/2026

Also known as:GHSA-4773-3jfm-qmx3CGA-7vr7-8qxr-v5r4

Description

Use of Java scripting engine enabled (e.g. JRuby, Jython) template views in Spring MVC and Spring WebFlux applications can result in disclosure of content from files outside the configured locations for script template views. This issue affects Spring Framework: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46.

Affected packages (3)

Debian/libspring-javafrom 0
Maven/org.springframework:spring-webflux>= 7.0.0-M1, < 7.0.6
Maven/org.springframework:spring-webmvc>= 7.0.0-M1, < 7.0.6

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.9	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-22737
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2026-22737
PATCHhttps://github.com/spring-projects/spring-framework
WEBhttps://spring.io/security/cve-2026-22737