By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2026-22737

Path Traversal
Affects
Spring Framework
in
Spring
No items found.
Versions
>=4.2.0 <=6.2.16, >=7.0.0 <=7.0.5
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Spring Framework is an open-source application framework for the Java platform that provides comprehensive infrastructure support for developing enterprise-level Java applications. It offers features including dependency injection, web frameworks (Spring MVC and WebFlux), data access, messaging, and more.

A medium-severity vulnerability (CVE-2026-22737) has been identified in Spring Framework. The ScriptTemplateView class in both Spring MVC and Spring WebFlux does not properly validate or normalize the resource location before resolving templates. The getResource(String location) method concatenates a resource loader path with the location parameter without performing path traversal checks, and it does not verify that the resolved resource is actually under the configured base path. An attacker who can influence the template location may be able to read arbitrary files accessible to the application process.

Per OWASP: A path traversal attack (also known as directory traversal) aims to access files and directories that are stored outside the web root folder. By manipulating variables that reference files with "dot-dot-slash (../)" sequences and its variations, or by using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system, including application source code or configuration and critical system files.

This issue affects versions 4.2.0 through 6.2.16 and 7.0.0 through 7.0.5 of Spring Framework.

Details

Module Info

Vulnerability Info

This medium-severity vulnerability is found in the ScriptTemplateView class within both the spring-webmvc and spring-webflux modules of Spring Framework across all listed affected versions.

ScriptTemplateView enables server-side rendering using JSR 223 script engines (such as Nashorn, GraalJS, or other JavaScript engines). Applications configure it with one or more resource loader paths where templates are expected to reside (typically under WEB-INF/). When a template is requested, the getResource(String location) method resolves the template file by iterating over the configured paths and concatenating each with the provided location.

Prior to the fix, the getResource() method had three issues:

1. No path normalization. The location parameter was concatenated directly with the resource loader path without being normalized. Path traversal sequences such as ../ were passed through as-is.

2. No traversal rejection. No check was performed to detect and reject suspicious input containing path traversal sequences.

3. No boundary enforcement. The method only checked resource.exists() and did not verify that the resolved resource was actually located under the configured base path.

Additionally, the setResourceLoaderPath(String) method prepended an empty string ("") as the first element of the resource loader paths array. This meant resources could be resolved against the application root even when the user explicitly configured a restricted base path such as classpath:templates/.

Mitigation

Only recent versions of Spring Framework receive community support and updates. Older versions have no publicly available fixes for this vulnerability.

Users of the affected components should apply one of the following mitigations:

  • Upgrade to a currently supported version of Spring Framework.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.

Credits

  • Gyu-hyeok Lee (g2h) (finder)
Pink arrow
Pink arrow
CVE-2012-5055
CVE-2014-0097
CVE-2018-1000632
CVE-2019-3795
CVE-2019-11272
CVE-2016-1000027
CVE-2020-10683
CVE-2020-5408
CVE-2021-22112
CVE-2022-22950
CVE-2022-22965
CVE-2022-22968
CVE-2022-22971
CVE-2022-22970
CVE-2022-22978
CVE-2022-22976
CVE-2022-31692
CVE-2023-20861
CVE-2022-27772
CVE-2023-20863
CVE-2023-20862
CVE-2023-20883
CVE-2024-22234
CVE-2024-22243
CVE-2024-22259
CVE-2024-22262
CVE-2024-38808
CVE-2024-38807
CVE-2024-38809
CVE-2024-38816
CVE-2024-38820
CVE-2024-38821
CVE-2024-38819
CVE-2024-38828
CVE-2024-38827
CVE-2024-38829
CVE-2023-34040
CVE-2025-22228
CVE-2025-22232
CVE-2025-22234
CVE-2025-22235
CVE-2024-22257
CVE-2025-22233
CVE-2025-41235
CVE-2025-41242
CVE-2025-41243
CVE-2025-41249
CVE-2025-41254
CVE-2025-41253
CVE-2024-56128
CVE-2025-27817
CVE-2024-31141
CVE-2023-25194
CVE-2026-2817
CVE-2026-2818
CVE-2026-22737
CVE-2026-22735
CVE-2026-22733
CVE-2026-22731
CVE-2026-22732
What is a HeroDevs Security Advisory?
Vulnerability Details
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
Medium
ID
CVE-2026-22737
PROJECT Affected
Spring Framework
Versions Affected
>=4.2.0 <=6.2.16, >=7.0.0 <=7.0.5
NES Versions Affected
Published date
March 20, 2026
≈ Fix date
March 20, 2026
Fixed in
NES for Spring
Category
Path Traversal
Vex Document
Download VEXHow do I use it?
Sign up for the latest vulnerability alerts fixed in
NES for Spring
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.