Improper Neutralization of Special Elements in Output Used by a Downstream Component in Spring Framework - CVE-2026-22735
Published: April 28, 2026
Vulnerability identifier: #VU128385
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-22735
CWE-ID: CWE-74
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Pivotal
Affected software:
Spring Framework
Spring Framework
Detailed vulnerability description
The vulnerability allows a remote user to corrupt data streams sent to other users.
The vulnerability exists due to improper neutralization of special elements in Server-Sent Events handling in Spring MVC and Spring WebFlux when streaming plain text Server-Sent Events to clients. A remote user can control data that is streamed to other users to corrupt data streams sent to other users.
The issue is exposed only when plain text messages are used instead of a structured format such as JSON, and user interaction is required.
How to mitigate CVE-2026-22735
Install security update from vendor's website.