CVE-2026-22741

Summary

Spring MVC and WebFlux applications are vulnerable to cache poisoning when resolving static resources.

More precisely, an application can be vulnerable when all the following are true:

When all the conditions above are met, the attacker can send malicious requests and poison the resource cache with resources using the wrong encoding. This can cause a denial of service by breaking the front-end application for clients.

Affected Software

VendorProductVersion RangeStatus
VMwareSpring Framework7.0.0 < 7.0.7affected
VMwareSpring Framework6.2.0 < 6.2.18affected
VMwareSpring Framework6.1.0 < 6.1.27affected
VMwareSpring Framework5.3.0 < 5.3.48affected

Weaknesses

  • CWE-524: CWE-524 Information Exposure Through Caching

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References