{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22735", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "state": "PUBLISHED", "assignerShortName": "vmware", "dateReserved": "2026-01-09T06:54:49.674Z", "datePublished": "2026-03-19T23:37:35.587Z", "dateUpdated": "2026-03-20T14:44:48.043Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2026-03-19T23:37:35.587Z"}, "title": "Server Sent Event stream corruption", "affected": [{"vendor": "Spring", "product": "Spring Foundation", "versions": [{"status": "affected", "version": "7.0.0", "lessThanOrEqual": "7.0.5", "versionType": "custom"}, {"status": "affected", "version": "6.2.0", "lessThanOrEqual": "6.2.16", "versionType": "custom"}, {"status": "affected", "version": "6.1.0", "lessThanOrEqual": "6.1.25", "versionType": "custom"}, {"status": "affected", "version": "5.3.0", "lessThanOrEqual": "5.3.46", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Spring MVC and WebFlux applications are vulnerable to stream corruption when using Server-Sent Events (SSE).\u00a0This issue affects Spring Foundation: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>Spring MVC and WebFlux applications are vulnerable to stream corruption when using Server-Sent Events (SSE).&nbsp;<span>This issue affects Spring Foundation: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46.</span></p>"}]}], "references": [{"url": "https://spring.io/security/cve-2026-22735"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseSeverity": "LOW", "baseScore": 2.6, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N"}}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-667", "lang": "en", "description": "CWE-667 Improper Locking"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T14:44:28.334199Z", "id": "CVE-2026-22735", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T14:44:48.043Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "Server Sent Event stream corruption", "source": {"discovery": "EXTERNAL"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.6, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Spring", "product": "Spring Foundation", "versions": [{"status": "affected", "version": "7.0.0", "versionType": "custom", "lessThanOrEqual": "7.0.5"}, {"status": "affected", "version": "6.2.0", "versionType": "custom", "lessThanOrEqual": "6.2.16"}, {"status": "affected", "version": "6.1.0", "versionType": "custom", "lessThanOrEqual": "6.1.25"}, {"status": "affected", "version": "5.3.0", "versionType": "custom", "lessThanOrEqual": "5.3.46"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://spring.io/security/cve-2026-22735"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Spring MVC and WebFlux applications are vulnerable to stream corruption when using Server-Sent Events (SSE).\u00a0This issue affects Spring Foundation: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46.", "supportingMedia": [{"type": "text/html", "value": "<p>Spring MVC and WebFlux applications are vulnerable to stream corruption when using Server-Sent Events (SSE).&nbsp;<span>This issue affects Spring Foundation: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46.</span></p>", "base64": false}]}], "providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2026-03-19T23:37:35.587Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22735", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-20T14:44:28.334199Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-667", "description": "CWE-667 Improper Locking"}]}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-03-20T14:44:42.805Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-22735", "state": "PUBLISHED", "dateUpdated": "2026-03-19T23:37:35.587Z", "dateReserved": "2026-01-09T06:54:49.674Z", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "datePublished": "2026-03-19T23:37:35.587Z", "assignerShortName": "vmware"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Spring MVC and WebFlux applications are vulnerable to stream corruption when using Server-Sent Events (SSE).\u00a0This issue affects Spring Foundation: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46."}], "id": "CVE-2026-22735", "lastModified": "2026-03-20T15:16:15.897", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.6, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 1.4, "source": "security@vmware.com", "type": "Secondary"}]}, "published": "2026-03-20T00:16:15.697", "references": [{"source": "security@vmware.com", "url": "https://spring.io/security/cve-2026-22735"}], "sourceIdentifier": "security@vmware.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-667"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[7.0.0,7.0.5]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[6.2.0,6.2.16]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[6.1.0,6.1.25]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[5.3.0,5.3.46]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Spring Foundation", "source": "cna", "vendor": "Spring"}, "product": "spring_foundation", "vendor": "spring"}], "analysis": {"en": {"generated_at": "2026-03-20T12:22:58.377673+00:00", "value": {"mitigation_remediation": ["Verify whether your application uses Spring MVC or WebFlux with Server\u2011Sent Events.", "Determine the exact Spring Framework version in use.", "Upgrade to a non\u2011vulnerable release: Spring\u00a07.0.6 or newer, 6.2.17 or newer, 6.1.26 or newer, or 5.3.47 or newer.", "If an upgrade cannot be performed immediately, disable or remove SSE endpoints until a patch is available.", "Regularly consult spring.io/security for updates and apply any new patches as soon as they are released."], "summary": {"action": "Patch", "impact": "Data Corruption"}, "threat_synthesis": {"affected_systems": "Spring Foundation products are affected. Vulnerable releases include Spring Framework 7.0.0\u20117.0.5, 6.2.0\u20116.2.16, 6.1.0\u20116.1.25, and 5.3.0\u20115.3.46.", "description_and_impact": "Spring MVC and WebFlux applications using Server\u2011Sent Events are vulnerable to stream corruption, which can cause the event stream to become corrupted or fail. The weakness involves improper input validation and invalid end\u2011of\u2011data handling (CWE-20 and CWE-749). While the vulnerability does not provide remote code execution, it can disrupt data integrity and availability between the server and client, potentially affecting applications that rely on continuous event streams.", "risk_and_exploitability": "The CVSS score is 2.6, indicating a low severity level. EPSS is not available and the vulnerability is not listed in the CISA KEV catalog. The risk is primarily to data consistency and application availability for sites exposing SSE endpoints. A remote attacker could trigger the corruption by interacting with an SSE endpoint if the application allows external access to it. No public exploits have been reported. The attack vector is inferred to be remote due to the need to access an exposed SSE endpoint."}}}}, "created": "2026-03-20T08:54:16.101543+00:00", "updated": "2026-03-20T14:14:42.979900+00:00", "vendors": ["spring", "spring$PRODUCT$spring_foundation"]}