CVE-2026-22735

Summary

Spring MVC and WebFlux applications are vulnerable to stream corruption when using Server-Sent Events (SSE). This issue affects Spring Foundation: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46.

Affected Software

VendorProductVersion RangeStatus
SpringSpring Foundation7.0.0 <= 7.0.5affected
SpringSpring Foundation6.2.0 <= 6.2.16affected
SpringSpring Foundation6.1.0 <= 6.1.25affected
SpringSpring Foundation5.3.0 <= 5.3.46affected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References