spring-framework
Safeguard articles tagged "spring-framework" — guides, analysis, and best practices for software supply chain and application security.
8 articles
Spring Framework Security Guide (2026)
Spring Framework is the backbone of enterprise Java — and the source of Spring4Shell plus a steady stream of path-traversal and SSRF CVEs. Here is how to run it safely in 2026.
Spring4Shell (CVE-2022-22965) Explained: RCE Through Spring Data Binding
CVE-2022-22965, Spring4Shell, let attackers write a JSP web shell to Spring MVC apps on JDK 9+ by abusing data binding. Here is the ClassLoader trick and the exact conditions required.
Spring4Shell Retrospective: What CVE-2022-22965 Actually Cost the Industry
Spring4Shell was hyped as the next Log4Shell and turned out to be neither as broad nor as harmless as the early coverage suggested. A 2026 look back at the real numbers.
Spring4Shell (CVE-2022-22965): root cause and remote code...
Spring4Shell (CVE-2022-22965) let attackers manipulate Java class loaders via Spring data binding to achieve RCE on Tomcat-deployed apps. Root cause, timeline, and fixes.
Spring4Shell RCE in Spring Framework (CVE-2022-22965)
A deep dive into CVE-2022-22965 (Spring4Shell): the critical Spring Framework RCE, its exploitation chain, timeline, and how to remediate it fast.
CVE-2016-1000027: Remote code execution via Spring HttpIn...
A decade-old flaw in Spring's HttpInvokerServiceExporter enables unauthenticated RCE via Java deserialization. Severity, timeline, and remediation for CVE-2016-1000027.
CVE-2018-1270: Remote code execution in Spring Messaging ...
CVE-2018-1270 is a critical, unauthenticated RCE in Spring Messaging's STOMP-over-WebSocket support. Here's what's affected, how severe it is, and how to remediate it.
CVE-2020-5398: Content-type bypass in Spring Framework
CVE-2020-5398 lets attackers bypass Spring Framework RFD protections via Content-Disposition, tricking browsers into downloading malicious files.