216.73.216.36

CVE-2026-22732

· Published 19/03/2026 23:16 · Modified 20/03/2026 15:16

Labels: CVE-2026-22732 2026-03-19CVE-2026-22732CWE-425[email protected]

Essential information

Published
19/03/2026 23:16
Modified
20/03/2026 15:16
Author
Creator
CVSS
9.1 CRITICAL (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CVSS metrics

Description

When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written.  This issue affects Spring Security: from 5.7.0 through 5.7.21, from 5.8.0 through 5.8.23, from 6.3.0 through 6.3.14, from 6.4.0 through 6.4.14, from 6.5.0 through 6.5.8, from 7.0.0 through 7.0.3.

NVD status

Status
Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
spring project / spring security cpe:2.3:a:spring_project:spring_security:5.7.0-5.7.21:*:*:*:*:*:*:*
spring project / spring security cpe:2.3:a:spring_project:spring_security:5.8.0-5.8.23:*:*:*:*:*:*:*
spring project / spring security cpe:2.3:a:spring_project:spring_security:6.3.0-6.3.14:*:*:*:*:*:*:*
spring project / spring security cpe:2.3:a:spring_project:spring_security:6.4.0-6.4.14:*:*:*:*:*:*:*
spring project / spring security cpe:2.3:a:spring_project:spring_security:6.5.0-6.5.8:*:*:*:*:*:*:*
spring project / spring security cpe:2.3:a:spring_project:spring_security:7.0.0-7.0.3:*:*:*:*:*:*:*

References