Fluid Attacks Database

Description

Spring Framework Improper Path Limitation with Script View Templates Use of Java scripting engine enabled (e.g. JRuby, Jython) template views in Spring MVC and Spring WebFlux applications can result in disclosure of content from files outside the configured locations for script template views. This issue affects Spring Framework: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
rpm rhel8	log4j	-	-
debian 11	libspring-java	=4.3.30-1 \|\| =4.3.30-2 \|\| =4.3.30-3 \|\| =4.3.30-4	-
rpm rhel9	log4j	-	-
maven	org.springframework:spring-webmvc	>=7.0.0-m1 <7.0.6 \|\| >=6.2.0 <6.2.17 \|\| >=6.0.0 <=6.1.21 \|\| >=5.3.0 <=5.3.39	7.0.6, 6.2.17
maven	org.springframework:spring-webflux	>=7.0.0-m1 <7.0.6 \|\| >=6.2.0 <6.2.17 \|\| >=6.0.0 <=6.1.21 \|\| >=5.3.0 <=5.3.39	7.0.6, 6.2.17
rpm rhel9	resteasy	-	-
rpm rhel8	resteasy	-	-
debian 12	libspring-java	=4.3.30-2 \|\| =4.3.30-3 \|\| =4.3.30-4	-
debian 13	libspring-java	=4.3.30-3 \|\| =4.3.30-4	-
debian 14	libspring-java	=4.3.30-3 \|\| =4.3.30-4	-

Aliases

1. CVE-2026-227372. NVD-2026-227373. OSV-2026-227374. OSV-DEBIAN-2026-227375. GCVE-2026-227376. SECURITY-TRACKER-CVE-2026-22737

References

1. https://spring.io/security/cve-2026-22737