Yesterday, an RCE vulnerability in the Spring Framework has been announced:
Spring Framework RCE, Early Announcement
CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+
While, as of now, only WAR deployments of Spring Boot applications running under Apache Tomcat seem to be affected, it is still recommended to upgrade to Spring Boot 2.6.6 as soon as possible, even for Spring-based applications deployed as a JAR, because “the vulnerability is more general, and there may be other ways to exploit it that have not been reported yet”:
So, in case you’re deploying Spring Boot or Spring-based applications using WAR files, an immediate upgrade to Spring Boot 2.6.6 / Spring Framework 5.3.18 is highly recommended.
If your Spring-based applications are deployed via JAR files, you’re probably safe for now, but upgrading Spring Boot and Spring Framework dependencies as soon as possible would still be advisable.