CVE-2026-22740

EUVD-2026-26205
A WebFlux server application that processes multipart requests creates temp files for parts larger than 10 K. Under some circumstances, temp files may remain not deleted after the request is fully processed. This allows an attacker to consume available disk space.

Older, unsupported versions are also affected.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
vmwareCNA
6.5 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
vmwarespring
7.0.0 ≤
𝑥
< 7.0.7
CNA
vmwarespring
6.2.0 ≤
𝑥
< 6.2.18
CNA
vmwarespring
6.1.0 ≤
𝑥
< 6.1.27
CNA
vmwarespring
5.3.0 ≤
𝑥
< 5.3.48
CNA
Common Weakness Enumeration
References
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H&version=3.1
https://spring.io/security/cve-2026-22740