Description

Use of Java scripting engine enabled (e.g. JRuby, Jython) template views in Spring MVC and Spring WebFlux applications can result in disclosure of content from files outside the configured locations for script template views. This issue affects Spring Framework: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46.

INFO

Published Date :

2026-03-19T23:53:59.918Z

Last Modified :

2026-03-20T14:43:50.722Z

Source :

vmware
AFFECTED PRODUCTS

The following products are affected by CVE-2026-22737 vulnerability.

Vendors Products
Spring
  • Spring Framework
Vmware
  • Spring Framework
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-22737.

URL Resource
https://nvd.nist.gov/vuln/detail/CVE-2026-22737 cve-icon
https://spring.io/security/cve-2026-22737 cve-icon cve-icon cve-icon
https://www.cve.org/CVERecord?id=CVE-2026-22737 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact