CVE-2026-22735 | THREATINT

Description

Spring MVC and WebFlux applications are vulnerable to stream corruption when using Server-Sent Events (SSE). This issue affects Spring Foundation: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46.

PUBLISHED Reserved 2026-01-09 | Published 2026-03-19 | Updated 2026-03-20 | Assigner vmware

LOW: 2.6CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N

Product status

Default status

unaffected

7.0.0 (custom)

affected

6.2.0 (custom)

affected

6.1.0 (custom)

affected

5.3.0 (custom)

affected

References

spring.io/security/cve-2026-22735

cve.org (CVE-2026-22735)

nvd.nist.gov (CVE-2026-22735)

Download JSON