Main Vulnerability Database Vulnerabilities #VU128372

Path traversal in Spring Framework - CVE-2026-22737

Published: April 28, 2026

Vulnerability identifier: #VU128372

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-22737

CWE-ID: CWE-22

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Pivotal

Affected software:
Spring Framework

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper path limitation in script view templates when rendering views with Java scripting engine enabled and the view name is not explicitly specified. A remote attacker can send a specially crafted request to disclose sensitive information.

Exploitation requires a mapping for "/**" that results in view rendering.

How to mitigate CVE-2026-22737

Install security update from vendor's website.

Sources

https://spring.io/security/cve-2026-22737

Path traversal in Spring Framework - CVE-2026-22737

Detailed vulnerability description

How to mitigate CVE-2026-22737

Sources

Please verify you're human