Skip to main content

Spring Security CVE-2026-41003

| EUVD-2026-35887 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-10 security@vmware.com GHSA-3pjj-qpw6-5fcm
XSS Java RCE Spring Security
5.4
CVSS 3.1 · NVD
Share

Severity by source

Vendor (vmware) PRIMARY
HIGH
qualitative
NVD
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Primary rating from Vendor (vmware).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Severity Changed
Jun 12, 2026 - 20:37 NVD
HIGH MEDIUM
CVSS changed
Jun 12, 2026 - 20:37 NVD
7.6 (HIGH) 5.4 (MEDIUM)
Patch available
Jun 10, 2026 - 02:01 EUVD
Analysis Generated
Jun 10, 2026 - 00:31 vuln.today

DescriptionNVD

An attacker able to influence values in RelyingPartyRegistration may be able to run arbitrary code on HTML forms generated by Spring Security filters.

Affected versions: Spring Security 5.7.0 through 5.7.23; 5.8.0 through 5.8.25; 6.3.0 through 6.3.16; 6.4.0 through 6.4.16; 6.5.0 through 6.5.10; 7.0.0 through 7.0.5.

AnalysisAI

Cross-site scripting in Spring Security's SAML 2.0 relying party support allows an attacker who can influence RelyingPartyRegistration values to inject malicious content into HTML forms generated by Spring Security filters, potentially leading to script execution in a victim's browser. The advisory and tagging characterize this as an XSS issue with possible code-execution implications in the browser context, affecting Spring Security 5.7.x through 7.0.x prior to the fixed maintenance releases. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privileged authenticated access
Delivery
Inject payload into RelyingPartyRegistration field
Exploit
Lure or wait for victim to hit SAML filter
Execution
Spring Security renders unescaped HTML form
Persist
Script executes in victim browser
Impact
Hijack session or perform cross-origin actions
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires that the application expose a code path where untrusted input can flow into a Spring Security RelyingPartyRegistration field (for example, a tenant admin UI that builds registrations from user-supplied SAML metadata or form fields), an authenticated account with privileges sufficient to influence that input (CVSS PR:L), and a victim who subsequently visits a Spring Security-generated SAML form so the payload renders in their browser (CVSS UI:R). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 7.6 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N) reflects a network-reachable, low-complexity issue that requires some level of privilege (PR:L) and user interaction (UI:R), with a changed scope and high confidentiality impact - consistent with stored/reflected XSS reaching a victim's browser session. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario In a multi-tenant Spring application that lets lower-privileged users register or update SAML relying party metadata, an attacker with such an account submits a crafted entity ID or URL field containing an HTML/script payload; when an administrator or another tenant user is later directed to the Spring Security SAML filter that renders the auto-submit form, the payload executes in their browser, allowing session theft or actions on behalf of the victim. No public proof-of-concept code has been identified at time of analysis.
Remediation Upgrade to a patched maintenance release on each supported branch as documented in the Spring advisory at https://spring.io/security/cve-2026-41003 - specifically the next release after the upper-bound listed for each branch (5.7.24, 5.8.26, 6.3.17, 6.4.17, 6.5.11, and 7.0.6 line successors per the affected ranges); exact fix versions should be confirmed against the vendor advisory before deployment. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all systems running Spring Security 5.7.x, 6.0.x, or 7.0.x with SAML 2.0 relying party functionality. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-28575 CRITICAL
10.0 Jun 17

Local denial of service in Android's PackageInstaller subsystem stems from a logic error in PackageInstallerSession.tran
CVE-2026-55773 HIGH
8.8 Jun 19

Cedar policy injection in CedarJava (com.cedarpolicy:cedar-java) versions below 2.3.6, 3.4.1, and 4.9.0 allows attackers
CVE-2026-55772 HIGH
8.8 Jun 19

Type confusion in CedarJava versions prior to 2.3.6, 3.4.1, and 4.9 allows authenticated remote attackers to manipulate

CVE-2026-44795 HIGH
8.5 Jun 22

Remote code execution in Spinnaker's Orca and Rosco services allows authenticated users to achieve arbitrary Java class

CVE-2026-50196 HIGH
7.5 Jun 17

Denial of service in Steeltoe.Discovery.Eureka client (.NET) versions prior to 4.2.0 and 3.4.0 allows a remote Eureka re

Share

CVE-2026-41003 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy