Fluid Attacks Database

Description

Spring MVC and WebFlux has Server Sent Event stream corruption Spring MVC and WebFlux applications are vulnerable to stream corruption when using Server-Sent Events (SSE). This issue affects Spring Foundation: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 13	libspring-java	=4.3.30-3 \|\| =4.3.30-4	-
rpm rhel9	resteasy	-	-
maven	org.springframework:spring-webmvc	>=7.0.0-m1 <7.0.6 \|\| >=6.2.0 <6.2.17 \|\| >=6.0.0 <=6.1.21 \|\| >=5.3.0 <=5.3.39	7.0.6, 6.2.17
debian 12	libspring-java	=4.3.30-2 \|\| =4.3.30-3 \|\| =4.3.30-4	-
debian 11	libspring-java	=4.3.30-1 \|\| =4.3.30-2 \|\| =4.3.30-3 \|\| =4.3.30-4	-
maven	org.springframework:spring-webflux	>=7.0.0-m1 <7.0.6 \|\| >=6.2.0 <6.2.17 \|\| >=6.0.0 <=6.1.21 \|\| >=5.3.0 <=5.3.39	7.0.6, 6.2.17
rpm rhel8	log4j	-	-
rpm rhel9	log4j	-	-
rpm rhel8	resteasy	-	-
debian 14	libspring-java	=4.3.30-3 \|\| =4.3.30-4	-

Aliases

1. CVE-2026-227352. NVD-2026-227353. OSV-DEBIAN-2026-227354. OSV-2026-227355. GCVE-2026-227356. SECURITY-TRACKER-CVE-2026-22735

References

1. https://spring.io/security/cve-2026-22735