{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22735", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "state": "PUBLISHED", "assignerShortName": "vmware", "dateReserved": "2026-01-09T06:54:49.674Z", "datePublished": "2026-03-19T23:37:35.587Z", "dateUpdated": "2026-03-20T14:44:48.043Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2026-03-19T23:37:35.587Z"}, "title": "Server Sent Event stream corruption", "affected": [{"vendor": "Spring", "product": "Spring Foundation", "versions": [{"status": "affected", "version": "7.0.0", "lessThanOrEqual": "7.0.5", "versionType": "custom"}, {"status": "affected", "version": "6.2.0", "lessThanOrEqual": "6.2.16", "versionType": "custom"}, {"status": "affected", "version": "6.1.0", "lessThanOrEqual": "6.1.25", "versionType": "custom"}, {"status": "affected", "version": "5.3.0", "lessThanOrEqual": "5.3.46", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Spring MVC and WebFlux applications are vulnerable to stream corruption when using Server-Sent Events (SSE).\u00a0This issue affects Spring Foundation: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>Spring MVC and WebFlux applications are vulnerable to stream corruption when using Server-Sent Events (SSE).&nbsp;<span>This issue affects Spring Foundation: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46.</span></p>"}]}], "references": [{"url": "https://spring.io/security/cve-2026-22735"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseSeverity": "LOW", "baseScore": 2.6, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N"}}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-667", "lang": "en", "description": "CWE-667 Improper Locking"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T14:44:28.334199Z", "id": "CVE-2026-22735", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T14:44:48.043Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22735", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-20T14:44:28.334199Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-667", "description": "CWE-667 Improper Locking"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T14:44:42.805Z"}}], "cna": {"title": "Server Sent Event stream corruption", "source": {"discovery": "EXTERNAL"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.6, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Spring", "product": "Spring Foundation", "versions": [{"status": "affected", "version": "7.0.0", "versionType": "custom", "lessThanOrEqual": "7.0.5"}, {"status": "affected", "version": "6.2.0", "versionType": "custom", "lessThanOrEqual": "6.2.16"}, {"status": "affected", "version": "6.1.0", "versionType": "custom", "lessThanOrEqual": "6.1.25"}, {"status": "affected", "version": "5.3.0", "versionType": "custom", "lessThanOrEqual": "5.3.46"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://spring.io/security/cve-2026-22735"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Spring MVC and WebFlux applications are vulnerable to stream corruption when using Server-Sent Events (SSE).\u00a0This issue affects Spring Foundation: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46.", "supportingMedia": [{"type": "text/html", "value": "<p>Spring MVC and WebFlux applications are vulnerable to stream corruption when using Server-Sent Events (SSE).&nbsp;<span>This issue affects Spring Foundation: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46.</span></p>", "base64": false}]}], "providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2026-03-19T23:37:35.587Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22735", "state": "PUBLISHED", "dateUpdated": "2026-03-20T14:44:48.043Z", "dateReserved": "2026-01-09T06:54:49.674Z", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "datePublished": "2026-03-19T23:37:35.587Z", "assignerShortName": "vmware"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Spring MVC and WebFlux applications are vulnerable to stream corruption when using Server-Sent Events (SSE).\u00a0This issue affects Spring Foundation: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46."}], "id": "CVE-2026-22735", "lastModified": "2026-03-20T15:16:15.897", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.6, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 1.4, "source": "security@vmware.com", "type": "Secondary"}]}, "published": "2026-03-20T00:16:15.697", "references": [{"source": "security@vmware.com", "url": "https://spring.io/security/cve-2026-22735"}], "sourceIdentifier": "security@vmware.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-667"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "org.springframework/spring-webmvc: org.springframework/spring-webflux: Spring MVC and WebFlux: Stream corruption vulnerability when using Server-Sent Events", "id": "2449347", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2449347"}, "csaw": false, "cvss3": {"cvss3_base_score": "2.6", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N", "status": "draft"}, "cwe": "CWE-115", "details": ["A flaw was found in Spring MVC and WebFlux. A remote attacker with low privileges could exploit this vulnerability, requiring user interaction. This could lead to stream corruption, potentially affecting the integrity of data being transmitted."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-22735", "package_state": [{"cpe": "cpe:/a:redhat:amq_broker:7", "fix_state": "Fix deferred", "package_name": "spring-webmvc", "product_name": "Red Hat AMQ Broker 7"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:4", "fix_state": "Fix deferred", "package_name": "spring-webmvc", "product_name": "Red Hat build of Apache Camel for Spring Boot 4"}, {"cpe": "cpe:/a:redhat:apache_camel_hawtio:4", "fix_state": "Fix deferred", "package_name": "spring-webflux", "product_name": "Red Hat build of Apache Camel - HawtIO 4"}, {"cpe": "cpe:/a:redhat:apache_camel_hawtio:4", "fix_state": "Fix deferred", "package_name": "spring-webmvc", "product_name": "Red Hat build of Apache Camel - HawtIO 4"}, {"cpe": "cpe:/a:redhat:optaplanner:::el6", "fix_state": "Fix deferred", "package_name": "spring-webmvc", "product_name": "Red Hat build of OptaPlanner 8"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Fix deferred", "package_name": "spring-webmvc", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "log4j:2/log4j", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "pki-core:10.6/resteasy", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "pki-deps:10.6/resteasy", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "log4j", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "resteasy", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Fix deferred", "package_name": "spring-webflux", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Fix deferred", "package_name": "spring-webmvc", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Fix deferred", "package_name": "spring-webflux", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Fix deferred", "package_name": "spring-webmvc", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Fix deferred", "package_name": "spring-webflux", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Fix deferred", "package_name": "spring-webmvc", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Fix deferred", "package_name": "spring-webflux", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Fix deferred", "package_name": "spring-webmvc", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3", "fix_state": "Fix deferred", "package_name": "devspaces/openvsx-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3", "fix_state": "Fix deferred", "package_name": "devspaces/pluginregistry-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Fix deferred", "package_name": "spring-webmvc", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Fix deferred", "package_name": "spring-webmvc", "product_name": "Red Hat Single Sign-On 7"}], "public_date": "2026-03-19T23:37:35Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-22735\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-22735\nhttps://spring.io/security/cve-2026-22735"], "threat_severity": "Low"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[7.0.0,7.0.5]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[6.2.0,6.2.16]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[6.1.0,6.1.25]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[5.3.0,5.3.46]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Spring Foundation", "source": "cna", "vendor": "Spring"}, "product": "spring_foundation", "vendor": "spring"}], "analysis": {"en": {"generated_at": "2026-03-20T12:22:58.377673+00:00", "value": {"mitigation_remediation": ["Verify whether your application uses Spring MVC or WebFlux with Server\u2011Sent Events.", "Determine the exact Spring Framework version in use.", "Upgrade to a non\u2011vulnerable release: Spring\u00a07.0.6 or newer, 6.2.17 or newer, 6.1.26 or newer, or 5.3.47 or newer.", "If an upgrade cannot be performed immediately, disable or remove SSE endpoints until a patch is available.", "Regularly consult spring.io/security for updates and apply any new patches as soon as they are released."], "summary": {"action": "Patch", "impact": "Data Corruption"}, "threat_synthesis": {"affected_systems": "Spring Foundation products are affected. Vulnerable releases include Spring Framework 7.0.0\u20117.0.5, 6.2.0\u20116.2.16, 6.1.0\u20116.1.25, and 5.3.0\u20115.3.46.", "description_and_impact": "Spring MVC and WebFlux applications using Server\u2011Sent Events are vulnerable to stream corruption, which can cause the event stream to become corrupted or fail. The weakness involves improper input validation and invalid end\u2011of\u2011data handling (CWE-20 and CWE-749). While the vulnerability does not provide remote code execution, it can disrupt data integrity and availability between the server and client, potentially affecting applications that rely on continuous event streams.", "risk_and_exploitability": "The CVSS score is 2.6, indicating a low severity level. EPSS is not available and the vulnerability is not listed in the CISA KEV catalog. The risk is primarily to data consistency and application availability for sites exposing SSE endpoints. A remote attacker could trigger the corruption by interacting with an SSE endpoint if the application allows external access to it. No public exploits have been reported. The attack vector is inferred to be remote due to the need to access an exposed SSE endpoint."}}}}, "created": "2026-03-20T08:54:16.101543+00:00", "updated": "2026-03-20T14:14:42.979900+00:00", "vendors": ["spring", "spring$PRODUCT$spring_foundation"]}