EUVD-2026-35331
GHSA-72pg-x5f8-j25j
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionNVD
Spring MVC and WebFlux applications are vulnerable to Path Traversal attacks when resolving static resources.
Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
AnalysisAI
Path traversal in Spring Framework's static resource resolution exposes arbitrary server files to unauthenticated remote attackers across both Spring MVC and Spring WebFlux stacks. Four major release lines - 5.3.x, 6.1.x, 6.2.x, and 7.0.x - are affected, making this a broad-surface issue for the Java ecosystem. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target application uses Spring MVC or Spring WebFlux and has static resource resolution enabled - applications that do not serve static resources through Spring's resource handling layer are not affected. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS base score of 5.9 (Medium) is shaped primarily by the AC:H factor, which tempers what would otherwise be a higher-severity unauthenticated network attack (AV:N/PR:N/UI:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker identifies an internet-facing Spring MVC or WebFlux application serving static resources and sends a crafted HTTP GET request with a path traversal sequence - such as a URL-encoded or double-encoded `../` chain - targeting the static resource endpoint. If the application's path normalization is bypassed, the framework resolves and returns the content of a file outside the web root, such as application configuration files or OS-level files like `/etc/passwd`. … |
| Remediation | Consult the VMware Spring security advisory at https://spring.io/security/cve-2026-41843 for confirmed fixed release versions, as the provided input data does not specify exact patched version numbers and none can be independently confirmed here. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Server-side request forgery in crmeb_java 1.4 allows remote unauthenticated attackers to manipulate the base64 Qrcode en
Reflected cross-site scripting in OpenClinic GA 5.351.19's DICOM image upload handler allows unauthenticated remote atta
Unsafe deserialization in Apache Fory fory-core Java SDK versions prior to 1.1.0 allows remote attackers to bypass the f
Path traversal in SAP NetWeaver Application Server Java's Web Container allows unauthenticated remote attackers to manip
Unsafe deserialization in Spring Framework's JMS message converters (MappingJackson2MessageConverter and JacksonJsonMess
Share
External POC / Exploit Code
Leaving vuln.today