Description
Use of Java scripting engine enabled (e.g. JRuby, Jython) template views in Spring MVC and Spring WebFlux applications can result in disclosure of content from files outside the configured locations for script template views. This issue affects Spring Framework: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46.
Published: 2026-03-19
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Confidentiality disclosure of arbitrary files
Action: Upgrade
AI Analysis

Impact

The vulnerability allows the use of Java scripting engines such as JRuby or Jython in Spring MVC and WebFlux template views to read files outside the configured template directories. This can expose sensitive application configuration, source code, or other private files, leading to a confidentiality breach. The weakness is a path traversal or improper path validation, identified as CWE-22.

Affected Systems

Affected versions of Spring Framework include 5.3.0 through 5.3.46, 6.1.0 through 6.1.25, 6.2.0 through 6.2.16, and 7.0.0 through 7.0.5. The product is the Spring Framework from the Spring vendor.

Risk and Exploitability

The CVSS score of 5.9 indicates moderate severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation in the wild. The vulnerability is not listed in CISA's KEV catalog, implying no known active exploitation. Based on the description, the likely attack vector is an application that supports script template views; an attacker with access to the application can supply a malicious template path to read arbitrary files. Mitigation requires application configuration changes or patching.

Generated by OpenCVE AI on March 20, 2026 at 16:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Spring Framework to a non‑affected version (7.0.6 or later, 6.2.17 or later, 6.1.26 or later, 5.3.47 or later).
  • Restrict script template view directories to a trusted path and enforce strict path validation.
  • Disable or limit the use of Java scripting engines if they are not required.
  • Verify filesystem permissions so that the application process cannot read sensitive files outside its intended scope.
  • Stay informed about vendor advisories and apply security patches promptly.

Generated by OpenCVE AI on March 20, 2026 at 16:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4773-3jfm-qmx3 Spring Framework Improper Path Limitation with Script View Templates
History

Mon, 23 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 20 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-22
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20
CWE-22

Fri, 20 Mar 2026 11:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20
CWE-22

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Spring
Spring spring Framework
Vendors & Products Spring
Spring spring Framework

Fri, 20 Mar 2026 00:00:00 +0000

Type Values Removed Values Added
Description Use of Java scripting engine enabled (e.g. JRuby, Jython) template views in Spring MVC and Spring WebFlux applications can result in disclosure of content from files outside the configured locations for script template views. This issue affects Spring Framework: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46.
Title Spring Framework Improper Path Limitation with Script View Templates
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Spring Spring Framework
cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-03-20T14:43:50.722Z

Reserved: 2026-01-09T06:54:49.674Z

Link: CVE-2026-22737

cve-icon Vulnrichment

Updated: 2026-03-20T14:43:46.392Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-20T00:16:15.837

Modified: 2026-03-20T15:16:16.047

Link: CVE-2026-22737

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-19T23:53:59Z

Links: CVE-2026-22737 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:10:28Z

Weaknesses