[EdwardDiego]

The whole basis of this claim was a commit in a merged PR yeah?

[richbell]

No. There was a credible report, but one of the blogs (Cyber Kendra) linked to a commit that mentioned RCE off hand and said "it looks like they're cleaning up".

https://spring.io/blog/2022/03/31/spring-framework-rce-early...