CVE-2026-22741
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
29/04/2026
Last modified:
04/05/2026
Description
Spring MVC and WebFlux applications are vulnerable to cache poisoning when resolving static resources.<br />
<br />
<br />
More precisely, an application can be vulnerable when all the following are true:<br />
<br />
* the application is using Spring MVC or Spring WebFlux<br />
* the application is configuring the resource chain support https://docs.spring.io/spring-framework/reference/web/webmvc/mvc-config/static-resources.html#page-title with caching enabled<br />
* the application adds support for encoded resources resolution<br />
* the resource cache must be empty when the attacker has access to the application<br />
<br />
<br />
When all the conditions above are met, the attacker can send malicious requests and poison the resource cache with resources using the wrong encoding. This can cause a denial of service by breaking the front-end application for clients.
Impact
Base Score 3.x
3.10
Severity 3.x
LOW
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:* | 5.3.48 (excluding) | |
| cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:* | 6.1.0 (including) | 6.1.27 (excluding) |
| cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:* | 6.2.0 (including) | 6.2.18 (excluding) |
| cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:* | 7.0.0 (including) | 7.0.7 (excluding) |
To consult the complete list of CPE names with products and versions, see this page