Org.springframework:spring-webmvc

This hub aggregates every CVE we track for Org.springframework:spring-webmvc, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 14 most recently published vulnerabilities affecting Org.springframework:spring-webmvc.

• CVE-2025-41242CVE-2025-41242: Path traversal vulnerability on non-compliant Servlet containers5.9Aug 18, 2025
• CVE-2024-38819Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtai...7.5Dec 19, 2024
• CVE-2024-38828CVE-2024-38828: DoS via Spring MVC controller method with byte[] parameter5.3Nov 18, 2024
• CVE-2024-38816CVE-2024-38816: Path traversal vulnerability in functional web frameworks7.5Sep 13, 2024
• CVE-2023-34053Spring Framework server Web Observations DoS Vulnerability5.3Nov 28, 2023
• CVE-2023-20860Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25 using "**" as a pattern in Spring Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between S...7.5Mar 27, 2023
• CVE-2022-22965A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a W...KEV9.8Apr 1, 2022
• CVE-2020-5397CSRF Attack via CORS Preflight Requests with Spring MVC or Spring WebFlux5.3Jan 17, 2020
• CVE-2020-5398RFD Attack via "Content-Disposition" Header Sourced from Request Input by Spring MVC or Spring WebFlux Application7.5Jan 16, 2020
• CVE-2014-0225When processing user provided XML documents, the Spring Framework 4.0.0 to 4.0.4, 3.0.0 to 3.2.8, and possibly earlier unsupported versions did not disable by default the resolution of URI referenc...8.8May 25, 2017
• CVE-2016-9878An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result expo...7.5Dec 29, 2016
• CVE-2014-3625Directory traversal vulnerability in Pivotal Spring Framework 3.0.4 through 3.2.x before 3.2.12, 4.0.x before 4.0.8, and 4.1.x before 4.1.2 allows remote attackers to read arbitrary files via unspe...5.0Nov 20, 2014
• CVE-2014-0054The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arb...6.8Apr 17, 2014
• CVE-2014-1904Cross-site scripting (XSS) vulnerability in web/servlet/tags/form/FormTag.java in Spring MVC in Spring Framework 3.0.0 before 3.2.8 and 4.0.0 before 4.0.2 allows remote attackers to inject arbitrar...4.3Mar 20, 2014