CVE-2026-22732

critical

VMware

CVSS v3 Base Score

9.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Score

0.0%

Exploitation probability in 30 days

Top 96% most likely to be exploited

Attack Characteristics

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Confidentiality

High

Integrity

High

Availability

None

Published: March 19, 2026 (55 days ago)

Last Modified: April 16, 2026

Vendor: VMware

Source: NVD

Description

When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written. This issue affects Spring Security Servlet applications using lazy (default) writing of HTTP Headers: : from 5.7.0 through 5.7.21, from 5.8.0 through 5.8.23, from 6.3.0 through 6.3.14, from 6.4.0 through 6.4.14, from 6.5.0 through 6.5.8, from 7.0.0 through 7.0.3.

CWE

CWE-425

Affected Products

vmware spring security

References

🔗 spring.io

CVE-2026-22732

Vulnerability Report

Description

CWE

Affected Products

References