9 New Java Vulnerabilities - 1 Critical, 8 High Severity

Reflected cross-site scripting in SAP NetWeaver JAVA's JDBC Test Servlet enables unauthenticated remote attackers to craft malicious URLs that execute arbitrary JavaScript in a victim's browser upon interaction. The Changed Scope (S:C) in the CVSS vector indicates the injected script can affect browser context beyond the vulnerable origin, enabling session theft, credential harvesting, or unauthorized modification of webclient data. No public exploit code has been identified at time of analysis, and this vulnerability has not been listed in the CISA KEV catalog.

Cross-site scripting (XSS) in Spring Framework's MVC JSP form tags allows unauthenticated remote attackers to inject arbitrary HTML or JavaScript into rendered pages by supplying malicious values through the cssClass, cssErrorClass, or cssStyle tag attributes. Applications across four active Spring Framework release lines (5.3.x through 7.0.x) are affected when they pass user-controlled input directly into these tag attributes. No public exploit code has been identified at time of analysis, and CISA has not listed this CVE in the Known Exploited Vulnerabilities catalog, but the broad installed base of Spring MVC in enterprise Java environments and the high confidentiality impact (session hijacking, credential theft) warrant prompt patching.

Path traversal in Spring Framework's static resource resolution exposes arbitrary server files to unauthenticated remote attackers across both Spring MVC and Spring WebFlux stacks. Four major release lines - 5.3.x, 6.1.x, 6.2.x, and 7.0.x - are affected, making this a broad-surface issue for the Java ecosystem. The CVSS vector confirms unauthenticated network access with high confidentiality impact, though the AC:H designation indicates non-trivial exploit conditions; no public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV.

Denial of Service in Spring WebFlux's multipart request processing allows unauthenticated remote attackers to exhaust server resources across all supported Spring Framework branches. Affects Spring Framework 5.3.x through 7.0.x when applications use the reactive WebFlux stack and expose endpoints that accept multipart data. No public exploit code has been identified at time of analysis, and CISA KEV listing is absent, but the network-reachable, zero-privilege attack surface warrants prompt patching for internet-facing WebFlux deployments.

Information disclosure in Spring Framework's static resource resolution affects Spring MVC and WebFlux applications across four active release lines (5.3.x, 6.1.x, 6.2.x, and 7.0.x). Unauthenticated remote attackers exploiting this flaw can access sensitive cached content served through the static resource handling pipeline, achieving high confidentiality impact. No public exploit code or CISA KEV listing has been identified at time of analysis, and the AC:H vector indicates exploitation requires specific conditions beyond default network access.

Multipart request smuggling in Spring Framework's MVC and WebFlux components exposes applications to HTTP request manipulation via CWE-444. Unauthenticated remote attackers (AV:N/AC:L/PR:N/UI:N per CVSS) can exploit inconsistent multipart boundary parsing to smuggle malformed HTTP requests, achieving low-integrity impact against affected deployments. No public exploit code and no CISA KEV listing have been identified at time of analysis; however, the zero-prerequisite attack profile and broad version coverage across four major Spring branches (5.3.x, 6.1.x, 6.2.x, 7.0.x) make this relevant to any Java shop running Spring MVC or WebFlux with multipart upload handling enabled.

Unbounded cache growth in Spring Framework's SpEL evaluator allows remote unauthenticated attackers to exhaust JVM heap memory and cause a Denial of Service across all active Spring Framework branches (5.3.x through 7.0.x). Exploitation is conditional on the application explicitly accepting and evaluating user-supplied SpEL expressions - a non-default architectural pattern - which significantly constrains real-world blast radius compared to what the network-vector CVSS suggests. No public exploit identified at time of analysis and no CISA KEV listing; the Medium CVSS score of 5.3 with limited availability impact (A:L) reflects the bounded nature of the threat.

Predictable WebSocket session IDs in the spring-websocket module of Spring Framework allow an authenticated remote attacker to potentially enumerate or infer valid session identifiers and hijack WebSocket connections - but only when the target application also implements inadequate authorization rules on its WebSocket endpoints. All actively maintained Spring Framework release lines are affected: 5.3.x, 6.1.x, 6.2.x, and 7.0.x. No public exploit has been identified at time of analysis and this CVE does not appear in the CISA KEV catalog; real-world exploitation is further bounded by high attack complexity and a required user interaction step.