{"id":"GHSA-wg35-8jpf-2xv3","summary":"Spring MVC and WebFlux applications are vulnerable to cache poisoning when resolving static resources.","details":"Spring MVC and WebFlux applications are vulnerable to cache poisoning when resolving static resources.\n\n\nMore precisely, an application can be vulnerable when all the following are true:\n\n  *  the application is using Spring MVC or Spring WebFlux\n  *  the application is configuring the  resource chain support https://docs.spring.io/spring-framework/reference/web/webmvc/mvc-config/static-resources.html#page-title  with caching enabled\n  *  the application adds support for encoded resources resolution\n  *  the resource cache must be empty when the attacker has access to the application\n\n\nWhen all the conditions above are met, the attacker can send malicious requests and poison the resource cache with resources using the wrong encoding. This can cause a denial of service by breaking the front-end application for clients.","aliases":["CVE-2026-22741"],"modified":"2026-05-08T02:14:22.909412888Z","published":"2026-04-29T12:33:07Z","related":["CGA-85xp-6fw4-28g9"],"database_specific":{"github_reviewed_at":"2026-05-06T22:28:11Z","cwe_ids":["CWE-524"],"github_reviewed":true,"nvd_published_at":"2026-04-29T12:16:18Z","severity":"LOW"},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-22741"},{"type":"WEB","url":"https://docs.spring.io/spring-framework/reference/web/webmvc/mvc-config/static-resources.html#page-title"},{"type":"PACKAGE","url":"https://github.com/spring-projects/spring-framework"},{"type":"WEB","url":"https://spring.io/security/cve-2026-22741"}],"affected":[{"package":{"name":"org.springframework:spring-webflux","ecosystem":"Maven","purl":"pkg:maven/org.springframework/spring-webflux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"7.0.0"},{"fixed":"7.0.7"}]}],"versions":["7.0.0","7.0.1","7.0.2","7.0.3","7.0.4","7.0.5","7.0.6"],"database_specific":{"last_known_affected_version_range":"\u003c= 7.0.6","source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-wg35-8jpf-2xv3/GHSA-wg35-8jpf-2xv3.json"}},{"package":{"name":"org.springframework:spring-webflux","ecosystem":"Maven","purl":"pkg:maven/org.springframework/spring-webflux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.2.18"}]}],"versions":["6.2.0","6.2.1","6.2.10","6.2.11","6.2.12","6.2.13","6.2.14","6.2.15","6.2.16","6.2.17","6.2.2","6.2.3","6.2.4","6.2.5","6.2.6","6.2.7","6.2.8","6.2.9"],"database_specific":{"last_known_affected_version_range":"\u003c= 6.2.17","source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-wg35-8jpf-2xv3/GHSA-wg35-8jpf-2xv3.json"}},{"package":{"name":"org.springframework:spring-webflux","ecosystem":"Maven","purl":"pkg:maven/org.springframework/spring-webflux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"6.1.0"},{"last_affected":"6.1.26"}]}],"versions":["6.1.0","6.1.1","6.1.10","6.1.11","6.1.12","6.1.13","6.1.14","6.1.15","6.1.16","6.1.17","6.1.18","6.1.19","6.1.2","6.1.20","6.1.21","6.1.3","6.1.4","6.1.5","6.1.6","6.1.7","6.1.8","6.1.9"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-wg35-8jpf-2xv3/GHSA-wg35-8jpf-2xv3.json"}},{"package":{"name":"org.springframework:spring-webflux","ecosystem":"Maven","purl":"pkg:maven/org.springframework/spring-webflux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"last_affected":"5.3.47"}]}],"versions":["5.0.0.RELEASE","5.0.1.RELEASE","5.0.10.RELEASE","5.0.11.RELEASE","5.0.12.RELEASE","5.0.13.RELEASE","5.0.14.RELEASE","5.0.15.RELEASE","5.0.16.RELEASE","5.0.17.RELEASE","5.0.18.RELEASE","5.0.19.RELEASE","5.0.2.RELEASE","5.0.20.RELEASE","5.0.3.RELEASE","5.0.4.RELEASE","5.0.5.RELEASE","5.0.6.RELEASE","5.0.7.RELEASE","5.0.8.RELEASE","5.0.9.RELEASE","5.1.0.RELEASE","5.1.1.RELEASE","5.1.10.RELEASE","5.1.11.RELEASE","5.1.12.RELEASE","5.1.13.RELEASE","5.1.14.RELEASE","5.1.15.RELEASE","5.1.16.RELEASE","5.1.17.RELEASE","5.1.18.RELEASE","5.1.19.RELEASE","5.1.2.RELEASE","5.1.20.RELEASE","5.1.3.RELEASE","5.1.4.RELEASE","5.1.5.RELEASE","5.1.6.RELEASE","5.1.7.RELEASE","5.1.8.RELEASE","5.1.9.RELEASE","5.2.0.RELEASE","5.2.1.RELEASE","5.2.10.RELEASE","5.2.11.RELEASE","5.2.12.RELEASE","5.2.13.RELEASE","5.2.14.RELEASE","5.2.15.RELEASE","5.2.16.RELEASE","5.2.17.RELEASE","5.2.18.RELEASE","5.2.19.RELEASE","5.2.2.RELEASE","5.2.20.RELEASE","5.2.21.RELEASE","5.2.22.RELEASE","5.2.23.RELEASE","5.2.24.RELEASE","5.2.25.RELEASE","5.2.3.RELEASE","5.2.4.RELEASE","5.2.5.RELEASE","5.2.6.RELEASE","5.2.7.RELEASE","5.2.8.RELEASE","5.2.9.RELEASE","5.3.0","5.3.1","5.3.10","5.3.11","5.3.12","5.3.13","5.3.14","5.3.15","5.3.16","5.3.17","5.3.18","5.3.19","5.3.2","5.3.20","5.3.21","5.3.22","5.3.23","5.3.24","5.3.25","5.3.26","5.3.27","5.3.28","5.3.29","5.3.3","5.3.30","5.3.31","5.3.32","5.3.33","5.3.34","5.3.35","5.3.36","5.3.37","5.3.38","5.3.39","5.3.4","5.3.5","5.3.6","5.3.7","5.3.8","5.3.9"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-wg35-8jpf-2xv3/GHSA-wg35-8jpf-2xv3.json"}},{"package":{"name":"org.springframework:spring-webmvc","ecosystem":"Maven","purl":"pkg:maven/org.springframework/spring-webmvc"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"7.0.0"},{"fixed":"7.0.7"}]}],"versions":["7.0.0","7.0.1","7.0.2","7.0.3","7.0.4","7.0.5","7.0.6"],"database_specific":{"last_known_affected_version_range":"\u003c= 7.0.6","source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-wg35-8jpf-2xv3/GHSA-wg35-8jpf-2xv3.json"}},{"package":{"name":"org.springframework:spring-webmvc","ecosystem":"Maven","purl":"pkg:maven/org.springframework/spring-webmvc"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.2.18"}]}],"versions":["6.2.0","6.2.1","6.2.10","6.2.11","6.2.12","6.2.13","6.2.14","6.2.15","6.2.16","6.2.17","6.2.2","6.2.3","6.2.4","6.2.5","6.2.6","6.2.7","6.2.8","6.2.9"],"database_specific":{"last_known_affected_version_range":"\u003c= 6.2.17","source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-wg35-8jpf-2xv3/GHSA-wg35-8jpf-2xv3.json"}},{"package":{"name":"org.springframework:spring-webmvc","ecosystem":"Maven","purl":"pkg:maven/org.springframework/spring-webmvc"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"6.1.0"},{"last_affected":"6.1.26"}]}],"versions":["6.1.0","6.1.1","6.1.10","6.1.11","6.1.12","6.1.13","6.1.14","6.1.15","6.1.16","6.1.17","6.1.18","6.1.19","6.1.2","6.1.20","6.1.21","6.1.3","6.1.4","6.1.5","6.1.6","6.1.7","6.1.8","6.1.9"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-wg35-8jpf-2xv3/GHSA-wg35-8jpf-2xv3.json"}},{"package":{"name":"org.springframework:spring-webmvc","ecosystem":"Maven","purl":"pkg:maven/org.springframework/spring-webmvc"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"last_affected":"5.3.47"}]}],"versions":["1.0","1.0-rc1","1.0.1","1.1","1.1-rc1","1.1-rc2","1.1.1","1.1.2","1.1.3","1.1.4","1.1.5","1.2","1.2-rc1","1.2-rc2","1.2.1","1.2.2","1.2.3","1.2.4","1.2.5","1.2.6","1.2.7","1.2.8","1.2.9","2.0","2.0-m1","2.0-m2","2.0-m3","2.0-m4","2.0-m5","2.0-rc1","2.0-rc2","2.0.1","2.0.2","2.0.3","2.0.4","2.0.5","2.0.6","2.0.7","2.0.8","2.5","2.5.1","2.5.2","2.5.3","2.5.4","2.5.5","2.5.6","2.5.6.SEC01","2.5.6.SEC02","2.5.6.SEC03","3.0.0.RELEASE","3.0.1.RELEASE","3.0.2.RELEASE","3.0.3.RELEASE","3.0.4.RELEASE","3.0.5.RELEASE","3.0.6.RELEASE","3.0.7.RELEASE","3.1.0.RELEASE","3.1.1.RELEASE","3.1.2.RELEASE","3.1.3.RELEASE","3.1.4.RELEASE","3.2.0.RELEASE","3.2.1.RELEASE","3.2.10.RELEASE","3.2.11.RELEASE","3.2.12.RELEASE","3.2.13.RELEASE","3.2.14.RELEASE","3.2.15.RELEASE","3.2.16.RELEASE","3.2.17.RELEASE","3.2.18.RELEASE","3.2.2.RELEASE","3.2.3.RELEASE","3.2.4.RELEASE","3.2.5.RELEASE","3.2.6.RELEASE","3.2.7.RELEASE","3.2.8.RELEASE","3.2.9.RELEASE","4.0.0.RELEASE","4.0.1.RELEASE","4.0.2.RELEASE","4.0.3.RELEASE","4.0.4.RELEASE","4.0.5.RELEASE","4.0.6.RELEASE","4.0.7.RELEASE","4.0.8.RELEASE","4.0.9.RELEASE","4.1.0.RELEASE","4.1.1.RELEASE","4.1.2.RELEASE","4.1.3.RELEASE","4.1.4.RELEASE","4.1.5.RELEASE","4.1.6.RELEASE","4.1.7.RELEASE","4.1.8.RELEASE","4.1.9.RELEASE","4.2.0.RELEASE","4.2.1.RELEASE","4.2.2.RELEASE","4.2.3.RELEASE","4.2.4.RELEASE","4.2.5.RELEASE","4.2.6.RELEASE","4.2.7.RELEASE","4.2.8.RELEASE","4.2.9.RELEASE","4.3.0.RELEASE","4.3.1.RELEASE","4.3.10.RELEASE","4.3.11.RELEASE","4.3.12.RELEASE","4.3.13.RELEASE","4.3.14.RELEASE","4.3.15.RELEASE","4.3.16.RELEASE","4.3.17.RELEASE","4.3.18.RELEASE","4.3.19.RELEASE","4.3.2.RELEASE","4.3.20.RELEASE","4.3.21.RELEASE","4.3.22.RELEASE","4.3.23.RELEASE","4.3.24.RELEASE","4.3.25.RELEASE","4.3.26.RELEASE","4.3.27.RELEASE","4.3.28.RELEASE","4.3.29.RELEASE","4.3.3.RELEASE","4.3.30.RELEASE","4.3.4.RELEASE","4.3.5.RELEASE","4.3.6.RELEASE","4.3.7.RELEASE","4.3.8.RELEASE","4.3.9.RELEASE","5.0.0.RELEASE","5.0.1.RELEASE","5.0.10.RELEASE","5.0.11.RELEASE","5.0.12.RELEASE","5.0.13.RELEASE","5.0.14.RELEASE","5.0.15.RELEASE","5.0.16.RELEASE","5.0.17.RELEASE","5.0.18.RELEASE","5.0.19.RELEASE","5.0.2.RELEASE","5.0.20.RELEASE","5.0.3.RELEASE","5.0.4.RELEASE","5.0.5.RELEASE","5.0.6.RELEASE","5.0.7.RELEASE","5.0.8.RELEASE","5.0.9.RELEASE","5.1.0.RELEASE","5.1.1.RELEASE","5.1.10.RELEASE","5.1.11.RELEASE","5.1.12.RELEASE","5.1.13.RELEASE","5.1.14.RELEASE","5.1.15.RELEASE","5.1.16.RELEASE","5.1.17.RELEASE","5.1.18.RELEASE","5.1.19.RELEASE","5.1.2.RELEASE","5.1.20.RELEASE","5.1.3.RELEASE","5.1.4.RELEASE","5.1.5.RELEASE","5.1.6.RELEASE","5.1.7.RELEASE","5.1.8.RELEASE","5.1.9.RELEASE","5.2.0.RELEASE","5.2.1.RELEASE","5.2.10.RELEASE","5.2.11.RELEASE","5.2.12.RELEASE","5.2.13.RELEASE","5.2.14.RELEASE","5.2.15.RELEASE","5.2.16.RELEASE","5.2.17.RELEASE","5.2.18.RELEASE","5.2.19.RELEASE","5.2.2.RELEASE","5.2.20.RELEASE","5.2.21.RELEASE","5.2.22.RELEASE","5.2.23.RELEASE","5.2.24.RELEASE","5.2.25.RELEASE","5.2.3.RELEASE","5.2.4.RELEASE","5.2.5.RELEASE","5.2.6.RELEASE","5.2.7.RELEASE","5.2.8.RELEASE","5.2.9.RELEASE","5.3.0","5.3.1","5.3.10","5.3.11","5.3.12","5.3.13","5.3.14","5.3.15","5.3.16","5.3.17","5.3.18","5.3.19","5.3.2","5.3.20","5.3.21","5.3.22","5.3.23","5.3.24","5.3.25","5.3.26","5.3.27","5.3.28","5.3.29","5.3.3","5.3.30","5.3.31","5.3.32","5.3.33","5.3.34","5.3.35","5.3.36","5.3.37","5.3.38","5.3.39","5.3.4","5.3.5","5.3.6","5.3.7","5.3.8","5.3.9"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-wg35-8jpf-2xv3/GHSA-wg35-8jpf-2xv3.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"}]}