On March 30th, 2022, a 0-day exploit in the popular Java framework was discovered that results in Remote Code Execution (RCE) via data binding.
More about this vulnerability might be found at https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement.
The VIVO core source is not a Spring framework-based application, but there is dependency on spring-beans and spring-context in [VIVO]/api/pom.xml.