{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22735", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "state": "PUBLISHED", "assignerShortName": "vmware", "dateReserved": "2026-01-09T06:54:49.674Z", "datePublished": "2026-03-19T23:37:35.587Z", "dateUpdated": "2026-03-20T14:44:48.043Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2026-03-19T23:37:35.587Z"}, "title": "Server Sent Event stream corruption", "affected": [{"vendor": "Spring", "product": "Spring Foundation", "versions": [{"status": "affected", "version": "7.0.0", "lessThanOrEqual": "7.0.5", "versionType": "custom"}, {"status": "affected", "version": "6.2.0", "lessThanOrEqual": "6.2.16", "versionType": "custom"}, {"status": "affected", "version": "6.1.0", "lessThanOrEqual": "6.1.25", "versionType": "custom"}, {"status": "affected", "version": "5.3.0", "lessThanOrEqual": "5.3.46", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Spring MVC and WebFlux applications are vulnerable to stream corruption when using Server-Sent Events (SSE).\u00a0This issue affects Spring Foundation: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>Spring MVC and WebFlux applications are vulnerable to stream corruption when using Server-Sent Events (SSE).&nbsp;<span>This issue affects Spring Foundation: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46.</span></p>"}]}], "references": [{"url": "https://spring.io/security/cve-2026-22735"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseSeverity": "LOW", "baseScore": 2.6, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N"}}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-667", "lang": "en", "description": "CWE-667 Improper Locking"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T14:44:28.334199Z", "id": "CVE-2026-22735", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T14:44:48.043Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22735", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-20T14:44:28.334199Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-667", "description": "CWE-667 Improper Locking"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T14:44:42.805Z"}}], "cna": {"title": "Server Sent Event stream corruption", "source": {"discovery": "EXTERNAL"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.6, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Spring", "product": "Spring Foundation", "versions": [{"status": "affected", "version": "7.0.0", "versionType": "custom", "lessThanOrEqual": "7.0.5"}, {"status": "affected", "version": "6.2.0", "versionType": "custom", "lessThanOrEqual": "6.2.16"}, {"status": "affected", "version": "6.1.0", "versionType": "custom", "lessThanOrEqual": "6.1.25"}, {"status": "affected", "version": "5.3.0", "versionType": "custom", "lessThanOrEqual": "5.3.46"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://spring.io/security/cve-2026-22735"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Spring MVC and WebFlux applications are vulnerable to stream corruption when using Server-Sent Events (SSE).\u00a0This issue affects Spring Foundation: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46.", "supportingMedia": [{"type": "text/html", "value": "<p>Spring MVC and WebFlux applications are vulnerable to stream corruption when using Server-Sent Events (SSE).&nbsp;<span>This issue affects Spring Foundation: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46.</span></p>", "base64": false}]}], "providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2026-03-19T23:37:35.587Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22735", "state": "PUBLISHED", "dateUpdated": "2026-03-20T14:44:48.043Z", "dateReserved": "2026-01-09T06:54:49.674Z", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "datePublished": "2026-03-19T23:37:35.587Z", "assignerShortName": "vmware"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*", "matchCriteriaId": "E4FC0718-4A47-49D5-B623-285871B5135F", "versionEndExcluding": "5.3.47", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*", "matchCriteriaId": "08D94F4A-EDD9-4CA2-836A-D61B17A4E894", "versionEndExcluding": "6.1.26", "versionStartIncluding": "6.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*", "matchCriteriaId": "1168AB82-987E-473E-8485-DE606AF254EB", "versionEndExcluding": "6.2.17", "versionStartIncluding": "6.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*", "matchCriteriaId": "1CA275C7-33A7-49A2-ADE8-0ABF81E00327", "versionEndExcluding": "7.0.6", "versionStartIncluding": "7.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Spring MVC and WebFlux applications are vulnerable to stream corruption when using Server-Sent Events (SSE).\u00a0This issue affects Spring Foundation: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46."}, {"lang": "es", "value": "Las aplicaciones Spring MVC y WebFlux son vulnerables a la corrupci\u00f3n de flujo al usar Eventos Enviados por el Servidor (SSE). Este problema afecta a Spring Foundation: desde 7.0.0 hasta 7.0.5, desde 6.2.0 hasta 6.2.16, desde 6.1.0 hasta 6.1.25, desde 5.3.0 hasta 5.3.46."}], "id": "CVE-2026-22735", "lastModified": "2026-04-23T14:21:22.560", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.6, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 1.4, "source": "security@vmware.com", "type": "Secondary"}]}, "published": "2026-03-20T00:16:15.697", "references": [{"source": "security@vmware.com", "tags": ["Vendor Advisory"], "url": "https://spring.io/security/cve-2026-22735"}], "sourceIdentifier": "security@vmware.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-667"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "org.springframework/spring-webmvc: org.springframework/spring-webflux: Spring MVC and WebFlux: Stream corruption vulnerability when using Server-Sent Events", "id": "2449347", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2449347"}, "csaw": false, "cvss3": {"cvss3_base_score": "2.6", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N", "status": "draft"}, "cwe": "CWE-115", "details": ["A flaw was found in Spring MVC and WebFlux. A remote attacker with low privileges could exploit this vulnerability, requiring user interaction. This could lead to stream corruption, potentially affecting the integrity of data being transmitted."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-22735", "package_state": [{"cpe": "cpe:/a:redhat:amq_broker:7", "fix_state": "Fix deferred", "package_name": "spring-webmvc", "product_name": "Red Hat AMQ Broker 7"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:4", "fix_state": "Fix deferred", "package_name": "spring-webmvc", "product_name": "Red Hat build of Apache Camel for Spring Boot 4"}, {"cpe": "cpe:/a:redhat:apache_camel_hawtio:4", "fix_state": "Fix deferred", "package_name": "spring-webflux", "product_name": "Red Hat build of Apache Camel - HawtIO 4"}, {"cpe": "cpe:/a:redhat:apache_camel_hawtio:4", "fix_state": "Fix deferred", "package_name": "spring-webmvc", "product_name": "Red Hat build of Apache Camel - HawtIO 4"}, {"cpe": "cpe:/a:redhat:optaplanner:::el6", "fix_state": "Fix deferred", "package_name": "spring-webmvc", "product_name": "Red Hat build of OptaPlanner 8"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Fix deferred", "package_name": "spring-webmvc", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "log4j:2/log4j", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "pki-core:10.6/resteasy", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "pki-deps:10.6/resteasy", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "log4j", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "resteasy", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Fix deferred", "package_name": "spring-webflux", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Fix deferred", "package_name": "spring-webmvc", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Fix deferred", "package_name": "spring-webflux", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Fix deferred", "package_name": "spring-webmvc", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Fix deferred", "package_name": "spring-webflux", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Fix deferred", "package_name": "spring-webmvc", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Fix deferred", "package_name": "spring-webflux", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Fix deferred", "package_name": "spring-webmvc", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3", "fix_state": "Fix deferred", "package_name": "devspaces/openvsx-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3", "fix_state": "Fix deferred", "package_name": "devspaces/pluginregistry-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Fix deferred", "package_name": "spring-webmvc", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Fix deferred", "package_name": "spring-webmvc", "product_name": "Red Hat Single Sign-On 7"}], "public_date": "2026-03-19T23:37:35Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-22735\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-22735\nhttps://spring.io/security/cve-2026-22735"], "threat_severity": "Low"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[7.0.0,7.0.5]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[6.2.0,6.2.16]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[6.1.0,6.1.25]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[5.3.0,5.3.46]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Spring Foundation", "source": "cna", "vendor": "Spring"}, "product": "spring_foundation", "vendor": "spring"}], "analysis": {"en": {"generated_at": "2026-03-21T08:07:50.482060+00:00", "value": {"mitigation_remediation": ["Upgrade to the latest Spring Framework release that addresses the SSE stream corruption (at least 7.0.6, or the corresponding patch for earlier branches).", "Verify that no legacy Spring versions are in use across all applications and that all components run a patched build.", "If an upgrade is not immediately possible, restrict access to SSE endpoints to trusted clients and perform integrity checks on received data before processing.", "Monitor SSE traffic for signs of corruption and apply compensating controls if malformed data is detected."], "summary": {"action": "Patch", "impact": "Stream Corruption in Server\u2011Sent Events"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Spring Foundation core libraries used by Spring MVC and Spring WebFlux. Projects running Spring Framework versions 5.3.0 through 5.3.46, 6.1.0 through 6.1.25, 6.2.0 through 6.2.16, and 7.0.0 through 7.0.5 that expose Server\u2011Sent Events endpoints are at risk. Any web applications or microservices relying on Spring\u2019s SSE support for real\u2011time data delivery fall within the affected scope.", "description_and_impact": "Spring MVC and Spring WebFlux applications are vulnerable to Server\u2011Sent Events stream corruption. The issue stems from improper handling of event data, causing garbled payloads to be delivered to clients. This represents a data integrity weakness, classified as CWE\u2011115 and CWE\u2011667, and can lead to incorrect application behavior or downstream services receiving malformed input. It does not provide code execution or privilege escalation, but it can degrade service quality.", "risk_and_exploitability": "The CVSS score is 2.6, indicating low severity. An EPSS score below 1% shows a very small chance of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. While the input does not specify an attack vector, it is inferred that an attacker would need to send or manipulate SSE traffic to the affected application, which would generally require some level of access to the client side or the network path. Consequently, the overall risk remains low, though malformed data could compromise information integrity if an attacker succeeds."}}}}, "created": "2026-03-20T08:54:16.101543+00:00", "updated": "2026-03-25T14:10:31.499289+00:00", "vendors": ["spring", "spring$PRODUCT$spring_foundation"]}