Skip to content

RadicalNotion.AI

We do not sell or share your personal information

© 2026 RadicalNotion.AI

Security Data

CWE Directory
CAPEC Directory
CNA Directory
CNA Report Cards
Data Sources

Calculators

CVSS Calculator
CVSS 4.0
CVSS 3.1
CVSS 3.0
CVSS 2.0

Platform

My Vulnerabilities
Insights
Notifications
Account
Pricing

Learn

All guides
What is a CVE?
What is CVSS?
The CISA KEV catalog
What is EPSS?

Company

About us
Blog
Book a demo

Get Started

Sign up
Log in

Legal

Privacy
Terms

Security data

Weaknesses (CWE)The MITRE CWE weakness catalog
Attack Patterns (CAPEC)MITRE CAPEC attack patterns
CNAsNumbering authorities + report cards
VendorsVulnerabilities by vendor

Tools

CVSS CalculatorScore CVSS 4.0, 3.1, 3.0 & 2.0

Resources

LearnPlain-English security guides
Data SourcesHow we source CVE data

About Us Blog Pricing Book a Demo

Log in

Home
Vendors
Spring
Spring Framework

Spring Framework Vulnerabilities: CVEs, CISA KEV & Security Advisories

10 CVEs

Spring Framework Vulnerabilities

CVE security advisories and vulnerability history for Spring Framework by Spring.

10

Total CVEs

Published

0

In CISA KEV

Exploited in the wild

0

Public exploits

With known exploit

6.4

Avg CVSS

2020–2026

Last updated March 19, 2026

Overview

Spring Framework has 10 published CVE records since 2020, of which 0 are in CISA's Known Exploited Vulnerabilities catalog and 0 have a known public exploit. The average CVSS base score across scored CVEs is 6.4.

This page aggregates every publicly disclosed vulnerability (CVE) affecting Spring Framework, with a severity breakdown, the affected and patched versions, the most common weakness types, and the full CVE list. Affected platforms include 32 bit, 64 bit, ARM, Android, Linux, MacOS.

Severity and exploitation

How the CVSS severity of Spring Framework's CVEs breaks down, plus how many are exploited in the wild or have public exploit code.

Critical0

High5

Medium4

Low1

In CISA’s Known Exploited Vulnerabilities catalog

0

None of Spring Framework's CVEs are currently listed in CISA's KEV catalog.

Public exploits

0

No Spring Framework CVEs currently have a tracked public exploit.

Affected versions and CVEs

Browse every Spring Framework version named in a CVE, then pick one to see only the CVEs that affect it.

Specific versions

6.0.151 CVE
6.1.21 CVE

Fixed in

v5.2.3.RELEASE2 CVEs
> 5.3.421 CVE
> 5.3.461 CVE
> 6.0.271 CVE
> 6.1.191 CVE
> 6.1.251 CVE
> 6.2.161 CVE
> 6.2.61 CVE
> 7.0.51 CVE
5.3.321 CVE
5.3.331 CVE
5.3.341 CVE
5.3.39, 6.0+1 CVE
5.3.431 CVE
6.0.141 CVE
6.0.171 CVE
6.0.181 CVE
6.0.191 CVE
6.0.281 CVE
6.1.201 CVE
6.1.41 CVE
6.1.51 CVE
6.1.61 CVE
6.2.71 CVE
v5.0.16.RELEASE1 CVE
v5.1.13.RELEASE1 CVE

Default status

All versions5 CVEs

Find a version

10 CVEs

Sort

Spring Framework Improper Path Limitation with Script View Templates
CVE-2026-22737
Patch
CWE-22
Medium · CVSS 5.9
EPSS 0.1% (27th pct)2026-03-19
Spring Framework DataBinder Case Sensitive Match Exception
CVE-2025-22233
Patch
CWE-20
Low · CVSS 3.1
EPSS 0.1% (24th pct)2025-05-16
CVE-2024-38808: Spring Expression DoS Vulnerability
CVE-2024-38808
Patch
CWE-770
Medium · CVSS 4.3
EPSS 0.8% (75th pct)2024-08-20
High vulnerability · 2024-04-16
CVE-2024-22262
Patch
CWE-601
High · CVSS 8.1
EPSS 12.6% (94th pct)2024-04-16
CVE-2024-22259: Spring Framework URL Parsing with Host Validation (2nd report)
CVE-2024-22259
Patch
CWE-601
High · CVSS 8.1
EPSS 56.4% (98th pct)2024-03-16
CVE-2024-22243: Spring Framework URL Parsing with Host Validation
CVE-2024-22243
Patch
CWE-601
High · CVSS 8.1
EPSS 60.1% (98th pct)2024-02-23
CVE-2024-22233: Spring Framework server Web DoS Vulnerability
CVE-2024-22233
Patch
CWE-400
High · CVSS 7.5
EPSS 1.5% (82th pct)2024-01-22
Medium vulnerability · 2023-11-28
CVE-2023-34053
Patch
Medium · CVSS 5.3
EPSS 0.8% (75th pct)2023-11-28
Medium vulnerability · 2020-01-17
CVE-2020-5397
Patch
CWE-352
Medium · CVSS 5.3
EPSS 0.9% (75th pct)2020-01-17
High vulnerability · 2020-01-16
CVE-2020-5398
Patch
CWE-79
High · CVSS 8.0
EPSS 90.2% (100th pct)2020-01-16

Common weakness types

The CWE weakness categories most often found in Spring Framework CVEs. Follow any weakness for its full explanation.

CWE-601URL Redirection to Untrusted Site ('Open Redirect')3 CVEs
CWE-22Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')1 CVE
CWE-352Cross-Site Request Forgery (CSRF)1 CVE
CWE-20Improper Input Validation1 CVE
CWE-770Allocation of Resources Without Limits or Throttling1 CVE
CWE-79Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')1 CVE
CWE-400Uncontrolled Resource Consumption1 CVE

Disclosure activity by year

How many Spring Framework CVEs were published each year.

2020

2

2023

1

2024

5

2025

1

2026

1

Other Spring products

Browse vulnerabilities for other products by Spring.

Spring Security15 CVEs Spring Boot13 CVEs Spring AI10 CVEs Spring Cloud Config6 CVEs Spring4 CVEs Spring Cloud Function2 CVEs Spring gRPC2 CVEs Spring Security OAuth2 CVEs

All Spring vulnerabilities

Frequently asked questions

Common questions about Spring Framework vulnerabilities.

How many CVEs does Spring Spring Framework have?

Spring Spring Framework has 10 published CVE records since 2020.

How many Spring Spring Framework CVEs are in CISA KEV?

None of Spring Spring Framework's CVEs are currently listed in CISA's Known Exploited Vulnerabilities catalog.

Are there public exploits for Spring Spring Framework vulnerabilities?

No Spring Spring Framework CVEs currently have a tracked public exploit in this dataset.

Which versions of Spring Spring Framework are affected?

29 distinct Spring Spring Framework versions are named across its CVEs. Use the version filter above to see the CVEs affecting a specific version.

What are the most common weakness types in Spring Spring Framework CVEs?

Spring Spring Framework's CVEs most often map to these CWE weakness types: CWE-601 (URL Redirection to Untrusted Site ('Open Redirect')), CWE-22 (Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')), CWE-352 (Cross-Site Request Forgery (CSRF)), CWE-20 (Improper Input Validation).

What is the average severity of Spring Spring Framework CVEs?

The average CVSS base score across Spring Spring Framework's scored CVEs is 6.4.

References

All Spring vulnerabilities
The MITRE CVE Program (opens in a new tab)
Learn: What is a CVE?
CWE directory: the weakness types these CVEs map to

Vulnerability data is sourced from the CVE Program; severity, KEV, and exploit signals are aggregated by RadicalNotion.AI.

Track Spring Framework vulnerabilities

Monitor new Spring Framework vulnerabilities as they are disclosed, with AI-written analysis and remediation guidance.

Start free See pricing

On this page

Overview
Severity and exploitation
Affected versions and CVEs
Common weakness types
Disclosure activity
Other products
FAQ
References