Every Spring CVE,

fully mapped.

Spring CVEs span a wide range of projects, from Framework and Security to AI and Data, and for most teams the practical question is whether the Spring Boot version they ship is exposed. This hub catalogs every CVE published across the Spring ecosystem and maps each one to the Boot versions it affects, a cross-reference that project-level advisories don't provide.

Get Pricing
Learn About NES for Spring
Spring Boot EOL Status

On This Page:

CVE ExplorerMigration CalculatorResources

192

Distinct patches

6

Spring Boot Lines Covered

0

Unpatched Vulnerabilities

2,400+

Artifacts Monitored & Patched

This data is provided as a reference summary and may not reflect the latest patch releases or newly published CVEs. For authoritative vulnerability details visit the HeroDevs Vulnerability Directory, and for the full history of NES patch releases see the NES for Spring Release Notes.
CVE ID Severity Project / Artifact Type NES for Spring Boot Published NES Patch(es)

Select a Spring Boot version to see every CVE that affects projects in that generation — with NES patch versions and links to release notes.

Spring Migration Calculator

Estimate the time, risk, and effort required to migrate from Spring Boot 3.5 to Spring Boot 4 before end of life.

This Spring Boot 3 → 4 Migration Calculator helps you estimate the real-world effort required based on application size, dependencies, team capacity, and mandatory platform upgrades, so you can plan ahead before Spring Boot 3.5 reaches end of life.

For what the estimator is, how to use it, and why it matters as Spring Boot end-of-life approaches, click here to learn more.

Spring Upgrade Migration Estimator

Tell us about your Migration
Please enter at least 1 application
Please enter at least 1 developer
Spring Project Utilization
Boot Framework
Application Specific Upgrade Requirements
Estimated Migration Time
0 weeks

Spring Forward: Navigating the Breaking Changes in Spring Boot 4.0

The Spring Boot 4.0 migration is bigger than it looks. Spring Boot 4.0 introduces 83 breaking changes with an estimated 200–500 hours of migration effort. Most teams don't know what they're walking into. After conducting a survey of 100 spring developers, Java Champion Steve Poole has some unique insight into what team may be missing, and worse, how underprepared many of them may be. This Downloadable eBook Guide catalogues every breaking change across three tiers, and from compiler failures to silent production bugs so your team can size the work honestly and sequence it right.

Download Now
Book cover with a boot and a sneaker titled 'Spring Forward' about changes in Spring Boot 4.0 by Steve Poole.

Resources

View All Articles

Products

Jun 4, 2026

Spring Boot 3.5 EOL: What the Migration Really Takes
Spring Boot 3.5 EOL: What the Migration Really Takes
Spring Boot 3.5 reaches open-source end of life on June 30, 2026. The move to 4.x is an 83-change platform migration estimated at 200–500 hours — and AI accelerates the edits, not the judgment.

Read More

Security

May 18, 2026

Spring AI 2.0 Is Coming Soon. Your Boot 4.0 Migration Does Not Have to Start Tomorrow.
Spring AI 2.0 Is Coming Soon. Your Boot 4.0 Migration Does Not Have to Start Tomorrow.
Spring AI 2.0 GA is scheduled for May 28. Here is what teams on Spring Boot 3.x need to know about the Boot 4.0 requirement, the real migration scope, and how to approach the upgrade without putting production at risk.

Read More

Security

May 15, 2026

Spring Boot Managed Dependencies Still Get CVEs After EOL: May 2026 Patch Round-Up
Spring Boot Managed Dependencies Still Get CVEs After EOL: May 2026 Patch Round-Up
24 upstream CVEs landed across Tomcat, Netty, Thymeleaf, Jetty, and pgjdbc in a single month — every one reachable through the Spring Boot managed-dependency BOM on at least one EOL line.

Read More

Security

May 15, 2026

Spring Framework April 2026: 3 Web Stack DoS and Cache Poisoning CVEs
Spring Framework April 2026: 3 Web Stack DoS and Cache Poisoning CVEs
How a single April 17 release addressed three independent denial-of-service vectors in the Spring 5.3, 6.1, 6.2, and 7.0 web stack, with two of those branches receiving fixes only on commercial subscriptions

Read More

Thought Leadership

May 13, 2026

How a Group of Developers Took Back Control of Enterprise Java: The Spring Story, And Why It Still Matters
How a Group of Developers Took Back Control of Enterprise Java: The Spring Story, And Why It Still Matters
HeroDevs is proud to be the Platinum sponsor of "Spring: The Documentary," a new film from Tech Documentaries telling the story of how Spring transformed enterprise Java. Watch it on CultRepo's YouTube channel.

Read More

Thought Leadership

May 11, 2026

30 CVEs in Two Months: What the Spring Numbers Tell Us About the Future of Open Source Security
30 CVEs in Two Months: What the Spring Numbers Tell Us About the Future of Open Source Security
Why the CVE explosion is breaking traditional security models—and what enterprises must do next.

Read More

Security

May 11, 2026

Spring Security April 2026: 7 CVEs Including Two Critical Authorization Bypasses
Spring Security April 2026: 7 CVEs Including Two Critical Authorization Bypasses
How a single April 21 advisory cycle reshaped the Spring Security threat model from CVSS 9.6 client registration through 8.1 servlet path matching

Read More

Security

May 8, 2026

CVE-2026-40982: Critical Spring Cloud Config Server Directory Traversal (CVSS 9.8)
CVE-2026-40982: Critical Spring Cloud Config Server Directory Traversal (CVSS 9.8)
A pre-auth path traversal in spring-cloud-config-server lets unauthenticated attackers read arbitrary files on the host. Affects 3.1.x through 5.0.x, with no upstream fix for EOL branches.

Read More

Ready to Eliminate EOL Risk?

Start scanning your codebase today. Identify every end-of-life package in minutes, not hours.
Start Free Scan
Arrow
Schedule Demo
End-of-Life Dataset results
Request A Demo
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.