- How many CVEs does Spring have?
- Spring has 172 published CVE records since 2018, including 116 in the last two years.
- How many Spring CVEs are in CISA KEV?
- Yes — 2 of Spring's CVEs are listed in CISA's Known Exploited Vulnerabilities catalog, confirmed exploited in the wild and carrying a CISA remediation deadline.
- Which Spring products have the most CVEs?
- The Spring products with the most published CVEs are Spring Framework, spring security, Spring Boot, Spring AI, Spring Web Services.
- What are the most common weakness types in Spring CVEs?
- Spring's CVEs most often map to these CWE weakness types: CWE-400 (Uncontrolled Resource Consumption), CWE-502 (Deserialization of Untrusted Data), CWE-22 (Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')), CWE-770 (Allocation of Resources Without Limits or Throttling).
- Are there public exploits for Spring vulnerabilities?
- Yes — 12 of Spring's CVEs have a known public exploit.
- How many critical Spring vulnerabilities are there?
- Spring has 18 critical and 75 high-severity CVEs.
- What is the average severity of Spring CVEs?
- The average CVSS base score across Spring's scored CVEs is 7.0.