0--spring-security-web-5.8.16.jar00-/usr/local/tomcat/webapps/govway.war/WEB-INF/lib/spring-security-web-5.8.16.jarFALLBACK-db203dab11CVE-2026-22732: LanguageSpecificPackageVulnerability Spring Security: Spring Security: Security policy bypass and information disclosure due to unwritten HTTP headers For additional help see: **Vulnerability CVE-2026-22732** | Severity | Package | Fixed Version | Link | | --- | --- | --- | --- | |CRITICAL|org.springframework.security:spring-security-web|6.5.9, 7.0.4|[CVE-2026-22732](https://avd.aquasec.com/nvd/cve-2026-22732)| When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written.  This issue affects Spring Security: from 5.7.0 through 5.7.21, from 5.8.0 through 5.8.23, from 6.3.0 through 6.3.14, from 6.4.0 through 6.4.14, from 6.5.0 through 6.5.8, from 7.0.0 through 7.0.3. Package: org.springframework.security:spring-security-web Installed Version: 5.8.16 Vulnerability CVE-2026-22732 Severity: CRITICAL Fixed Version: 6.5.9, 7.0.4 Link: [CVE-2026-22732](https://avd.aquasec.com/nvd/cve-2026-22732)trivyTrivy Security Scanner-1395HIGHspring-security-web-5.8.16.jar(1,0): CVE-2026-22732: : CVE-2026-22732: LanguageSpecificPackageVulnerability Spring Security: Spring Security: Security policy bypass and information disclosure due to unwritten HTTP headers For additional help see: **Vulnerability CVE-2026-22732** | Severity | Package | Fixed Version | Link | | --- | --- | --- | --- | |CRITICAL|org.springframework.security:spring-security-web|6.5.9, 7.0.4|[CVE-2026-22732](https://avd.aquasec.com/nvd/cve-2026-22732)| When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written.  This issue affects Spring Security: from 5.7.0 through 5.7.21, from 5.8.0 through 5.8.23, from 6.3.0 through 6.3.14, from 6.4.0 through 6.4.14, from 6.5.0 through 6.5.8, from 7.0.0 through 7.0.3. Package: org.springframework.security:spring-security-web Installed Version: 5.8.16 Vulnerability CVE-2026-22732 Severity: CRITICAL Fixed Version: 6.5.9, 7.0.4 Link: [CVE-2026-22732](https://avd.aquasec.com/nvd/cve-2026-22732)CVE-2026-227320--spring-security-web-5.8.16.jar00-/usr/local/tomcat/webapps/govwayAPIConfig.war/WEB-INF/lib/spring-security-web-5.8.16.jarFALLBACK-db203dab11CVE-2026-22732: LanguageSpecificPackageVulnerability Spring Security: Spring Security: Security policy bypass and information disclosure due to unwritten HTTP headers For additional help see: **Vulnerability CVE-2026-22732** | Severity | Package | Fixed Version | Link | | --- | --- | --- | --- | |CRITICAL|org.springframework.security:spring-security-web|6.5.9, 7.0.4|[CVE-2026-22732](https://avd.aquasec.com/nvd/cve-2026-22732)| When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written.  This issue affects Spring Security: from 5.7.0 through 5.7.21, from 5.8.0 through 5.8.23, from 6.3.0 through 6.3.14, from 6.4.0 through 6.4.14, from 6.5.0 through 6.5.8, from 7.0.0 through 7.0.3. Package: org.springframework.security:spring-security-web Installed Version: 5.8.16 Vulnerability CVE-2026-22732 Severity: CRITICAL Fixed Version: 6.5.9, 7.0.4 Link: [CVE-2026-22732](https://avd.aquasec.com/nvd/cve-2026-22732)trivyTrivy Security Scanner-1395HIGHspring-security-web-5.8.16.jar(1,0): CVE-2026-22732: : CVE-2026-22732: LanguageSpecificPackageVulnerability Spring Security: Spring Security: Security policy bypass and information disclosure due to unwritten HTTP headers For additional help see: **Vulnerability CVE-2026-22732** | Severity | Package | Fixed Version | Link | | --- | --- | --- | --- | |CRITICAL|org.springframework.security:spring-security-web|6.5.9, 7.0.4|[CVE-2026-22732](https://avd.aquasec.com/nvd/cve-2026-22732)| When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written.  This issue affects Spring Security: from 5.7.0 through 5.7.21, from 5.8.0 through 5.8.23, from 6.3.0 through 6.3.14, from 6.4.0 through 6.4.14, from 6.5.0 through 6.5.8, from 7.0.0 through 7.0.3. Package: org.springframework.security:spring-security-web Installed Version: 5.8.16 Vulnerability CVE-2026-22732 Severity: CRITICAL Fixed Version: 6.5.9, 7.0.4 Link: [CVE-2026-22732](https://avd.aquasec.com/nvd/cve-2026-22732)CVE-2026-227320--spring-security-web-5.8.16.jar00-/usr/local/tomcat/webapps/govwayAPIMonitor.war/WEB-INF/lib/spring-security-web-5.8.16.jarFALLBACK-db203dab11CVE-2026-22732: LanguageSpecificPackageVulnerability Spring Security: Spring Security: Security policy bypass and information disclosure due to unwritten HTTP headers For additional help see: **Vulnerability CVE-2026-22732** | Severity | Package | Fixed Version | Link | | --- | --- | --- | --- | |CRITICAL|org.springframework.security:spring-security-web|6.5.9, 7.0.4|[CVE-2026-22732](https://avd.aquasec.com/nvd/cve-2026-22732)| When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written.  This issue affects Spring Security: from 5.7.0 through 5.7.21, from 5.8.0 through 5.8.23, from 6.3.0 through 6.3.14, from 6.4.0 through 6.4.14, from 6.5.0 through 6.5.8, from 7.0.0 through 7.0.3. Package: org.springframework.security:spring-security-web Installed Version: 5.8.16 Vulnerability CVE-2026-22732 Severity: CRITICAL Fixed Version: 6.5.9, 7.0.4 Link: [CVE-2026-22732](https://avd.aquasec.com/nvd/cve-2026-22732)trivyTrivy Security Scanner-1395HIGHspring-security-web-5.8.16.jar(1,0): CVE-2026-22732: : CVE-2026-22732: LanguageSpecificPackageVulnerability Spring Security: Spring Security: Security policy bypass and information disclosure due to unwritten HTTP headers For additional help see: **Vulnerability CVE-2026-22732** | Severity | Package | Fixed Version | Link | | --- | --- | --- | --- | |CRITICAL|org.springframework.security:spring-security-web|6.5.9, 7.0.4|[CVE-2026-22732](https://avd.aquasec.com/nvd/cve-2026-22732)| When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written.  This issue affects Spring Security: from 5.7.0 through 5.7.21, from 5.8.0 through 5.8.23, from 6.3.0 through 6.3.14, from 6.4.0 through 6.4.14, from 6.5.0 through 6.5.8, from 7.0.0 through 7.0.3. Package: org.springframework.security:spring-security-web Installed Version: 5.8.16 Vulnerability CVE-2026-22732 Severity: CRITICAL Fixed Version: 6.5.9, 7.0.4 Link: [CVE-2026-22732](https://avd.aquasec.com/nvd/cve-2026-22732)CVE-2026-2273233 warnings (high: 3)