The Volume Illusion
Enterprise security teams measure framework risk by counting CVEs. By that metric, Spring looks exemplary: 46 total CVEs across its entire history. Django has 294. Laravel has 218. Flask has 186 NVD keyword matches (mostly extensions, not core). Rails has 137. Spring's number is the second-lowest among major server-side frameworks, beaten only by FastAPI's 39. The intuition is obvious: fewer vulnerabilities means a safer framework. That intuition is wrong.
WebPulse's June 2026 security analysis reveals that Spring's 46 CVEs carry an average CVSS score of 6.82 — firmly in the 'medium-high' severity band. Of those 46 vulnerabilities, 9 are critical and 16 are high severity. That is 25 out of 46 — 54% of all Spring CVEs are rated high or critical. Two have been actively exploited in the wild. The volume is low. The damage potential per vulnerability is not.
The Score Drop No One Expected
Spring's WebPulse security score tells the trajectory story. In April 2026, Spring scored 55.6 out of 100. In May, it slipped to 55.0 — a minor decline easy to dismiss as noise. In June, it collapsed to 42.0. A 13.6-point drop in two months. For context, Django holds steady at 80.0. Laravel sits at 80.0. Rails is at 84.0. FastAPI leads at 95.0. Spring now scores lower than every major framework except WordPress (25.0).
The drop is driven by Spring's 14 CVEs in the last year alone — nearly a third of its entire historical total. The framework that enterprise Java teams trusted precisely because of its low CVE count is accumulating vulnerabilities at an accelerating rate, and the new ones are severe.
Authentication Bypass and Code Injection: The CWE Pattern
Spring's top two CWE categories are CWE-287 (authentication bypass) and CWE-94 (code injection), each appearing 5 times. These are not nuisance bugs. Authentication bypass means an attacker walks past your login page. Code injection means an attacker runs their own code on your infrastructure. The remaining top patterns — CWE-400 (resource exhaustion, 3 occurrences) and CWE-295 (improper certificate validation, 3 occurrences) — round out a profile of a framework whose vulnerabilities consistently target the most sensitive security boundaries: identity, execution, availability, and transport encryption.
The Comparison That Rewrites the Risk Model
Rails has 137 total CVEs — three times Spring's count. But Rails has zero critical CVEs, only 3 high-severity issues, zero actively exploited vulnerabilities, and a security score of 84.0. Django has 294 CVEs — more than six times Spring's total — and holds a security score of 80.0. Flask has 186 NVD keyword matches (mostly community extensions) and scores 90.0. The frameworks with higher CVE counts are, by every severity metric, safer than Spring. This inverts conventional procurement wisdom. A CISO reviewing a vendor questionnaire sees 'Spring: 46 CVEs' versus 'Django: 294 CVEs' and concludes Spring is safer by a factor of six. WebPulse's data shows the opposite: Spring's 46 include 9 critical and 16 high-severity issues with 2 actively exploited. Django's 294 are overwhelmingly low and medium severity.
What This Means for Enterprise Java
Spring's overall WebPulse score remains 62.5, buoyed by an AI-readiness score of 80.0 and strong community metrics. The framework is not dying. But its security profile has fundamentally shifted. Organizations running Spring in production need to stop citing '46 CVEs' as evidence of security and start examining which 46. The authentication bypass and code injection patterns mean that Spring vulnerabilities, when they appear, give attackers exactly what they want: access and execution. Security scoring that counts CVEs without weighting severity gives enterprise decision-makers a false sense of safety. The number that matters is not how many vulnerabilities a framework has. It is how much damage each one does.
