CVE-2026-22737: Spring Framework Improper Path Limitation with Script View Templates

March 20, 2026

Use of Java scripting engine enabled (e.g. JRuby, Jython) template views in Spring MVC and Spring WebFlux applications can result in disclosure of content from files outside the configured locations for script template views. This issue affects Spring Framework: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46.

References

github.com/advisories/GHSA-4773-3jfm-qmx3
github.com/spring-projects/spring-framework
nvd.nist.gov/vuln/detail/CVE-2026-22737
spring.io/security/cve-2026-22737

Code Behaviors & Features

Detect and mitigate CVE-2026-22737 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →