Severity by source
AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N
Network-reachable RemotingHandler requires low-privilege auth (PR:L), attacker must engineer reflected error content (AC:H), victim interaction required (UI:R); XSS yields integrity-only impact with no confidentiality or availability consequence.
Primary rating from Vendor (vmware).
CVSS VectorVendor: vmware
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
Spring Web Flow's JavaScript RemotingHandler renders the body of an error response as HTML even when the response is not "text/html", which can result in a scripting attack in the user's browser if the error response from the server contains error details with input reflected from an attacker.
Affected versions: Spring Web Flow 4.0.0; 3.0.0 through 3.0.1; 2.5.0 through 2.5.1.
AnalysisAI
Reflected XSS in Spring Web Flow's JavaScript RemotingHandler allows an authenticated attacker to inject and execute arbitrary scripts in a victim's browser by embedding malicious content in input that the server reflects within error response bodies. The RemotingHandler renders these error bodies as HTML regardless of the declared Content-Type, bypassing MIME-type enforcement. Affected versions span the 2.5.x, 3.0.x, and 4.0.0 release lines; no public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV.
Technical ContextAI
Spring Web Flow is a Spring Framework extension for orchestrating multi-step stateful web workflows. Its JavaScript RemotingHandler provides server-side AJAX/remoting support for workflow transitions triggered by browser-side JavaScript. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation - Cross-site Scripting): the handler fails to enforce content-type boundaries when constructing error responses, treating the response body as renderable HTML in the browser even when the HTTP Content-Type header declares a non-HTML media type. If server-generated error details echo back attacker-controlled input (e.g., from form fields, path parameters, or query strings that surface in exception or validation messages), that content is injected into the DOM without sanitization. The CPE cpe:2.3:a:spring:spring_web_flow:*:*:*:*:*:*:*:* covers the Spring Web Flow component published by the Spring (VMware/Broadcom) project.
RemediationAI
The primary remediation is to apply the vendor-released patch documented in the Spring security advisory at https://spring.io/security/cve-2026-40986; the exact fixed version number is not present in available intelligence and must be confirmed directly from that advisory before upgrading. As a compensating control while patching is scheduled, deploy a Content Security Policy (CSP) response header (e.g., default-src 'self'; script-src 'self') to block inline script execution in the browser - note this may require updating application JavaScript to eliminate inline handlers and eval() usage, which carries development overhead. Additionally, configure server-side output encoding for any user-supplied data that may appear in error messages returned by RemotingHandler endpoints; Spring's HtmlUtils.htmlEscape() or equivalent can be applied at the error-generation layer. Restricting authenticated access to RemotingHandler endpoints to the minimum necessary user population reduces the attacker pool consistent with PR:L.
Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m
Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti
Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent
Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug
JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow
Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36201
GHSA-hw5c-xm3c-v96w