CVE-2026-22735

EUVD-2026-13404
Spring MVC and WebFlux applications are vulnerable to stream corruption when using Server-Sent Events (SSE). This issue affects Spring Foundation: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
2.6 LOW
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 25%
Affected Products (NVD)
VendorProductVersion
vmwarespring_framework
𝑥
< 5.3.47
vmwarespring_framework
6.1.0 ≤
𝑥
< 6.1.26
vmwarespring_framework
6.2.0 ≤
𝑥
< 6.2.17
vmwarespring_framework
7.0.0 ≤
𝑥
< 7.0.6
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://spring.io/security/cve-2026-22735