Skip to main content

Spring Framework EUVD-2026-35333

| CVE-2026-41845 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-09 vmware GHSA-3chg-m5w7-qfv5
XSS Java
7.1
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

2
Patch available
Jun 09, 2026 - 06:01 EUVD
Analysis Generated
Jun 09, 2026 - 05:08 vuln.today

DescriptionNVD

Due to incorrect escaping, the use of JavaScriptUtils.javaScriptEscape() may lead to JavaScript code injection in the browser, potentially resulting in a cross-site scripting (XSS) vulnerability.

Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.

Articles & Coverage 1

News 9 New Java Vulnerabilities - 1 Critical, 8 High Severity Jun 10, 2026

AnalysisAI

Cross-site scripting in Spring Framework versions 5.3.0-5.3.48, 6.1.0-6.1.27, 6.2.0-6.2.18, and 7.0.0-7.0.7 allows remote attackers to inject JavaScript into victim browsers when applications rely on JavaScriptUtils.javaScriptEscape() for output encoding. The flaw stems from incomplete escaping in this utility method, and successful exploitation requires user interaction (UI:R) such as visiting a crafted page. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify Spring app using javaScriptEscape()
Delivery
Craft payload that escapes JS string context
Exploit
Deliver via reflected URL or stored input
Execution
Victim loads page rendering payload
Persist
Browser executes injected JavaScript
Impact
Steal session tokens or perform actions as user
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target Spring application actually renders attacker-controlled input into a JavaScript context using JavaScriptUtils.javaScriptEscape() (directly in code or via JSP tags whose javaScriptEscape attribute delegates to it) - applications that escape with OWASP Java Encoder, Thymeleaf's th:inline='javascript' (when used correctly), or JSON serialization are not exposed through this code path. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N (7.1 High) indicates network-reachable, low-complexity, unauthenticated exploitation that nonetheless requires a user to interact with attacker-influenced content - typical of reflected/stored XSS. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a URL or submits stored content (e.g., a profile field, search term, or comment) containing a payload designed to break out of the partial escaping performed by JavaScriptUtils.javaScriptEscape(); when a victim later loads a page that renders that data inside a <script> block or inline event handler using the vulnerable helper, the browser executes the injected JavaScript in the victim's session context, enabling cookie theft, token exfiltration, or actions on behalf of the user. Exploitation is unauthenticated to deliver but requires user interaction (UI:R) such as visiting the crafted page; no public PoC has been identified at time of analysis.
Remediation Upgrade Spring Framework to a fixed release on your branch - based on the affected ranges this means moving beyond 5.3.48, 6.1.27, 6.2.18, or 7.0.7 to the next vendor-released patched version as specified in the Spring advisory at https://spring.io/security/cve-2026-41845 (confirm the exact target version in that advisory, as published patched versions were not independently verified in the data provided). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all applications using Spring Framework 5.3.0-5.3.48, 6.1.0-6.1.27, 6.2.0-6.2.18, or 7.0.0-7.0.7; prioritize by business criticality and user impact. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-10771 MEDIUM POC
5.5 Jun 03

Server-side request forgery in crmeb_java 1.4 allows remote unauthenticated attackers to manipulate the base64 Qrcode en
CVE-2026-25860 MEDIUM POC
5.3 Jun 09

Reflected cross-site scripting in OpenClinic GA 5.351.19's DICOM image upload handler allows unauthenticated remote atta
CVE-2026-50076 CRITICAL
9.1 Jun 04

Unsafe deserialization in Apache Fory fory-core Java SDK versions prior to 1.1.0 allows remote attackers to bypass the f
CVE-2026-40128 CRITICAL
9.0 Jun 09

Path traversal in SAP NetWeaver Application Server Java's Web Container allows unauthenticated remote attackers to manip
CVE-2026-41855 HIGH
8.1 Jun 09

Unsafe deserialization in Spring Framework's JMS message converters (MappingJackson2MessageConverter and JacksonJsonMess

Share

EUVD-2026-35333 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy