CVE-2026-22732

CVE Database · CVE-2026-22732

CVE-2026-22732

· CRITICALAnalyzed

CVSS v3.1

9.1

EPSS

0.44%

Published

Mar 19, 2026

Modified

Apr 16, 2026

Public PoC / Exploit

All weaponized →

No public PoC or exploit code indexed for this CVE.

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written. This issue affects Spring Security Servlet applications using lazy (default) writing of HTTP Headers: : from 5.7.0 through 5.7.21, from 5.8.0 through 5.8.23, from 6.3.0 through 6.3.14, from 6.4.0 through 6.4.14, from 6.5.0 through 6.5.8, from 7.0.0 through 7.0.3.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Weaknesses (CWE)

CWE-425

Affected Products (6)

vmware · spring_security (up to 5.7.22)vulnerable

vmware · spring_security (up to 5.8.24)vulnerable

vmware · spring_security (up to 6.3.15)vulnerable

vmware · spring_security (up to 6.4.15)vulnerable

vmware · spring_security (up to 6.5.9)vulnerable

vmware · spring_security (up to 7.0.4)vulnerable

References (1)

https://spring.io/security/cve-2026-22732

Vendor AdvisoryExploit

KEV Catalog EPSS Scores Vendors All CVEs