What is the CVSS score of CVE-2026-22732?

CVE-2026-22732 has a CVSS 3.1 base score of 9.1 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of Java are affected by CVE-2026-22732?

A critical vulnerability in Spring Security affects multiple versions and prevents proper HTTP security headers from being written to responses, potentially exposing applications to cross-site…. A patch is available.

Java CVE-2026-22732

EUVD-2026-13347 CRITICAL

Direct Request ('Forced Browsing') (CWE-425)

2026-03-19 vmware

GHSA-mf92-479x-3373

Java Information Disclosure

9.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Re-analysis Queued

Apr 16, 2026 - 04:50 vuln.today

cvss_changed

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

EUVD ID Assigned

Mar 19, 2026 - 23:00 euvd

EUVD-2026-13347

Analysis Generated

Mar 19, 2026 - 23:00 vuln.today

CVE Published

Mar 19, 2026 - 22:47 nvd

CRITICAL 9.1

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

279 maven packages depend on org.springframework.security:spring-security-web (240 direct, 39 indirect)

Ecosystem-wide dependent count for version 5.8.0.

DescriptionNVD

When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written. This issue affects Spring Security: from 5.7.0 through 5.7.21, from 5.8.0 through 5.8.23, from 6.3.0 through 6.3.14, from 6.4.0 through 6.4.14, from 6.5.0 through 6.5.8, from 7.0.0 through 7.0.3.

AnalysisAI

Spring Security fails to properly write HTTP response headers in servlet applications across multiple versions (5.7.0-5.7.21, 5.8.0-5.8.23, 6.3.0-6.3.14, 6.4.0-6.4.14, 6.5.0-6.5.8, 7.0.0-7.0.3), allowing attackers to bypass security controls that rely on these headers such as HSTS, X-Frame-Options, or CSP policies. This header omission could enable various attacks including clickjacking, man-in-the-middle attacks, or other exploits depending on which protections are intended. …

RemediationAI

Within 24 hours: Identify all applications using Spring Security versions 5.7.0-5.7.21, 5.8.0-5.8.23, 6.3.0-6.3.14, 6.4.0-6.4.14, 6.5.0-6.5.8, or 7.0.0-7.0.3 and assess exposure. Within 7 days: Implement WAF rules to inject critical security headers (X-Frame-Options, X-Content-Type-Options, Content-Security-Policy) at the edge and apply network segmentation to limit affected application exposure. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Vendor StatusVendor

CVE-2026-22732 vulnerability details – vuln.today

Back

Java CVE-2026-22732

CVSS VectorNVD

Lifecycle Timeline

Blast Radius

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Vendor StatusVendor

Share

External POC / Exploit Code