Skip to main content

Spring Boot Admin

3 CVEs product

Monthly

CVE-2026-62242 HIGH POC PATCH This Week

Server-side request forgery in codecentric Spring Boot Admin Server before 4.1.2 lets unauthenticated remote attackers register a monitored instance with attacker-controlled healthUrl and managementUrl values that are never validated against private IP ranges or cloud metadata endpoints. Because the server then fetches those URLs and exposes the response bodies through its actuator proxy, an attacker can pivot into internal networks and read back sensitive data such as cloud instance-metadata credentials. Publicly available exploit code exists and the flaw was reported by VulnCheck, though there is no public exploit identified as actively exploited (not in CISA KEV).

Java SSRF Spring Boot Admin
NVD GitHub
CVSS 4.0
7.7
EPSS
0.3%
CVE-2023-38286 Maven HIGH POC PATCH This Week

Thymeleaf through 3.1.1.RELEASE, as used in spring-boot-admin (aka Spring Boot Admin) through 3.1.1 and other products, allows sandbox bypass via crafted HTML. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

Java RCE Command Injection Spring Boot Admin Thymeleaf
NVD GitHub
CVSS 3.1
7.5
EPSS
0.9%
CVE-2022-46166 Maven CRITICAL PATCH Act Now

Spring boot admins is an open source administrative user interface for management of spring boot applications. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

RCE Code Injection Java Spring Boot Admin
NVD GitHub
CVSS 3.1
9.8
EPSS
1.4%
EPSS 0% CVSS 7.7
HIGH POC PATCH This Week

Server-side request forgery in codecentric Spring Boot Admin Server before 4.1.2 lets unauthenticated remote attackers register a monitored instance with attacker-controlled healthUrl and managementUrl values that are never validated against private IP ranges or cloud metadata endpoints. Because the server then fetches those URLs and exposes the response bodies through its actuator proxy, an attacker can pivot into internal networks and read back sensitive data such as cloud instance-metadata credentials. Publicly available exploit code exists and the flaw was reported by VulnCheck, though there is no public exploit identified as actively exploited (not in CISA KEV).

Java SSRF Spring Boot Admin
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

Thymeleaf through 3.1.1.RELEASE, as used in spring-boot-admin (aka Spring Boot Admin) through 3.1.1 and other products, allows sandbox bypass via crafted HTML. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

Java RCE Command Injection +2
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Spring boot admins is an open source administrative user interface for management of spring boot applications. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

RCE Code Injection Java +1
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy