{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22737", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "state": "PUBLISHED", "assignerShortName": "vmware", "dateReserved": "2026-01-09T06:54:49.674Z", "datePublished": "2026-03-19T23:53:59.918Z", "dateUpdated": "2026-03-20T14:43:50.722Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2026-03-19T23:53:59.918Z"}, "title": "Spring Framework Improper Path Limitation with Script View Templates", "affected": [{"vendor": "Spring", "product": "Spring Framework", "versions": [{"status": "affected", "version": "7.0.0", "lessThanOrEqual": "7.0.5", "versionType": "custom"}, {"status": "affected", "version": "6.2.0", "lessThanOrEqual": "6.2.16", "versionType": "custom"}, {"status": "affected", "version": "6.1.0", "lessThanOrEqual": "6.1.25", "versionType": "custom"}, {"status": "affected", "version": "5.3.0", "lessThanOrEqual": "5.3.46", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Use of Java scripting engine enabled (e.g. JRuby, Jython) template views in Spring MVC and Spring WebFlux applications can result in disclosure of content from files outside the configured locations for script template views.\u00a0This issue affects Spring Framework: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>Use of Java scripting engine enabled (e.g. JRuby, Jython) template views in Spring MVC and Spring WebFlux applications can result in disclosure of content from files outside the configured locations for script template views.&nbsp;<span>This issue affects Spring Framework: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46.</span></p>"}]}], "references": [{"url": "https://spring.io/security/cve-2026-22737"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 5.9, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-22", "lang": "en", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T14:43:36.520127Z", "id": "CVE-2026-22737", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T14:43:50.722Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "Spring Framework Improper Path Limitation with Script View Templates", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Spring", "product": "Spring Framework", "versions": [{"status": "affected", "version": "7.0.0", "versionType": "custom", "lessThanOrEqual": "7.0.5"}, {"status": "affected", "version": "6.2.0", "versionType": "custom", "lessThanOrEqual": "6.2.16"}, {"status": "affected", "version": "6.1.0", "versionType": "custom", "lessThanOrEqual": "6.1.25"}, {"status": "affected", "version": "5.3.0", "versionType": "custom", "lessThanOrEqual": "5.3.46"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://spring.io/security/cve-2026-22737"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Use of Java scripting engine enabled (e.g. JRuby, Jython) template views in Spring MVC and Spring WebFlux applications can result in disclosure of content from files outside the configured locations for script template views.\u00a0This issue affects Spring Framework: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46.", "supportingMedia": [{"type": "text/html", "value": "<p>Use of Java scripting engine enabled (e.g. JRuby, Jython) template views in Spring MVC and Spring WebFlux applications can result in disclosure of content from files outside the configured locations for script template views.&nbsp;<span>This issue affects Spring Framework: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46.</span></p>", "base64": false}]}], "providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2026-03-19T23:53:59.918Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22737", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-20T14:43:36.520127Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-03-20T14:43:46.392Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-22737", "state": "PUBLISHED", "dateUpdated": "2026-03-19T23:53:59.918Z", "dateReserved": "2026-01-09T06:54:49.674Z", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "datePublished": "2026-03-19T23:53:59.918Z", "assignerShortName": "vmware"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Use of Java scripting engine enabled (e.g. JRuby, Jython) template views in Spring MVC and Spring WebFlux applications can result in disclosure of content from files outside the configured locations for script template views.\u00a0This issue affects Spring Framework: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46."}], "id": "CVE-2026-22737", "lastModified": "2026-03-20T15:16:16.047", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "security@vmware.com", "type": "Secondary"}]}, "published": "2026-03-20T00:16:15.837", "references": [{"source": "security@vmware.com", "url": "https://spring.io/security/cve-2026-22737"}], "sourceIdentifier": "security@vmware.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[7.0.0,7.0.5]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[6.2.0,6.2.16]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[6.1.0,6.1.25]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[5.3.0,5.3.46]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "spring_framework", "vendor": "spring"}], "analysis": {"en": {"generated_at": "2026-03-20T12:22:50.151016+00:00", "value": {"mitigation_remediation": ["Upgrade Spring Framework to a version newer than 7.0.5, 6.2.16, 6.1.25, or 5.3.46 (e.g., the latest 6.x/7.x release).", "If an upgrade is not immediately possible, disable Java scripting engine view templates in the application configuration to prevent template resolution outside the intended directories."], "summary": {"action": "Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "The affected vendor is Spring, specifically Spring Framework. Key detail from the vendor list. The vulnerability exists in versions 5.3.0\u20115.3.46, 6.1.0\u20116.1.25, 6.2.0\u20116.2.16, and 7.0.0\u20117.0.5. There is no explicit patch version listed, but the issue is fixed in releases beyond those ranges.", "description_and_impact": "The vulnerability occurs when Spring Framework applications enable Java scripting engine templates (e.g., JRuby, Jython) in Spring MVC or Spring WebFlux. Key detail from CVE description: these templates can read files outside the intended view template directories, enabling disclosure of arbitrary file contents. The weakness correlates with CWE\u201120 (Improper Input Validation) and CWE\u201122 (Path Traversal) and can lead to sensitive data exposure such as configuration files or logs.", "risk_and_exploitability": "The CVSS score of 5.9 indicates a Moderate severity. EPSS is not available and the vulnerability is not in CISA's KEV catalog, suggesting no known public exploitation yet. The likely attack vector is Remote, where an attacker crafts HTTP requests that cause the application to resolve a script view template pointing to an arbitrary file on the filesystem. If the application is publicly exposed, this can lead to disclosure of sensitive data without remote code execution. The overall risk is moderate but warrants prompt remediation."}}}}, "created": "2026-03-20T08:54:13.371707+00:00", "updated": "2026-03-20T14:14:41.652470+00:00", "vendors": ["spring", "spring$PRODUCT$spring_framework"]}