Spring Framework: Malicious File Disclosure in Template Views

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

5.9

Spring Framework: Malicious File Disclosure in Template Views

CVE-2026-22737

Summary

Using a feature called scripting engine in some Spring applications can accidentally reveal sensitive file content to users. This is a security risk because it can expose confidential data. To fix this, update to a safer version of the Spring Framework.

Original title

Original description

Use of Java scripting engine enabled (e.g. JRuby, Jython) template views in Spring MVC and Spring WebFlux applications can result in disclosure of content from files outside the configured locations for script template views. This issue affects Spring Framework: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46.

nvd CVSS3.1 5.9

https://spring.io/security/cve-2026-22737

Published: 20 Mar 2026 · Updated: 20 Mar 2026 · First seen: 20 Mar 2026