Spring security

This hub aggregates every CVE we track for Spring security, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Spring security.

• CVE-2026-47838Unauthorized User Impersonation when Using X.509 Client Certificates6.8Jun 9, 2026
• CVE-2026-41706Open Redirect When Using CookieRequestCache6.1Jun 9, 2026
• CVE-2026-41694SAML Payloads Decrypted Without Valid Signature3.7Jun 9, 2026
• CVE-2026-41008Spring Security Authorization Server Open Redirect via request_uri6.1Jun 9, 2026
• CVE-2026-41003Unencoded HTML Outputs in Spring Security May Allow Cross-Site Scripting7.6Jun 9, 2026
• CVE-2026-40993Unfiltered Java Native Deserialization of SAML 2.0 Asserting Party Credentials BLOB Database Entry7.3Jun 9, 2026
• CVE-2026-40988Unbounded DEFLATE Inflation in SAML 2.0 Service Provider7.5Jun 9, 2026
• CVE-2026-22754ervlet Path Not Correctly Included in Path Matching of XML Authorization Rules7.5Apr 22, 2026
• CVE-2026-22753Servlet Path Not Correctly Included in Path Matching of HttpSecurity#securityMatchers7.5Apr 22, 2026
• CVE-2026-22748Potential Security Misconfiguration when Using withIssuerLocation5.3Apr 22, 2026
• CVE-2026-22747Unauthorized User Impersonation when Using X.509 Client Certificates6.8Apr 22, 2026
• CVE-2026-22746User Attribute Enumeration when Using DaoAuthenticationProvider3.7Apr 22, 2026
• CVE-2026-22751Spring Security JdbcOneTimeTokenService allows a one-time token to authenticate multiple sessions4.8Apr 21, 2026
• CVE-2026-22733Authentication Bypass under Actuator CloudFoundry endpoints8.2Mar 19, 2026
• CVE-2026-22732Under Some Conditions Spring Security HTTP Headers Are not Written9.1Mar 19, 2026