Org.springframework:spring-web

This hub aggregates every CVE we track for Org.springframework:spring-web, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 12 most recently published vulnerabilities affecting Org.springframework:spring-web.

• CVE-2025-41234RFD Attack via “Content-Disposition” Header Sourced from Request6.5Jun 12, 2025
• CVE-2024-38820CVE-2024-38820: Spring Framework DataBinder Case Sensitive Match Exception3.1Oct 18, 2024
• CVE-2024-38809Applications that parse ETags from "If-Match" or "If-None-Match" request headers are vulnerable to DoS attack. Users of affected versions should upgrade to the corresponding fixed version. Users ...5.3Sep 27, 2024
• CVE-2024-22262CVE-2024-22262: Spring Framework URL Parsing with Host Validation8.1Apr 16, 2024
• CVE-2024-22259CVE-2024-22259: Spring Framework URL Parsing with Host Validation (2nd report)8.1Mar 16, 2024
• CVE-2024-22243CVE-2024-22243: Spring Framework URL Parsing with Host Validation8.1Feb 23, 2024
• CVE-2021-22118In Spring Framework, versions 5.2.x prior to 5.2.15 and versions 5.3.x prior to 5.3.7, a WebFlux application is vulnerable to a privilege escalation: by (re)creating the temporary storage directory...7.8May 27, 2021
• CVE-2013-6430The JavaScriptUtils.javaScriptEscape method in web/util/JavaScriptUtils.java in Spring MVC in Spring Framework before 3.2.2 does not properly escape certain characters, which allows remote attacker...5.4Jan 10, 2020
• CVE-2016-1000027Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented wi...9.8Jan 2, 2020
• CVE-2018-11039Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (includi...5.9Jun 25, 2018
• CVE-2015-3192Pivotal Spring Framework before 3.2.14 and 4.x before 4.1.7 do not properly process inline DTD declarations when DTD is not entirely disabled, which allows remote attackers to cause a denial of ser...5.5Jul 12, 2016
• CVE-2013-6429The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbit...6.8Jan 26, 2014