Skip to main content

Spring Web Flow EUVDEUVD-2026-36201

| CVE-2026-40986 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-11 vmware GHSA-hw5c-xm3c-v96w
4.8
CVSS 3.1 · Vendor: vmware
Share

Severity by source

Vendor (vmware) PRIMARY
4.8 MEDIUM
AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N
vuln.today AI
4.8 MEDIUM

Network-reachable RemotingHandler requires low-privilege auth (PR:L), attacker must engineer reflected error content (AC:H), victim interaction required (UI:R); XSS yields integrity-only impact with no confidentiality or availability consequence.

3.1 AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N
4.0 AV:N/AC:H/AT:P/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (vmware).

CVSS VectorVendor: vmware

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

2
Patch available
Jun 11, 2026 - 08:01 EUVD
Analysis Generated
Jun 11, 2026 - 07:07 vuln.today

DescriptionCVE.org

Spring Web Flow's JavaScript RemotingHandler renders the body of an error response as HTML even when the response is not "text/html", which can result in a scripting attack in the user's browser if the error response from the server contains error details with input reflected from an attacker.

Affected versions: Spring Web Flow 4.0.0; 3.0.0 through 3.0.1; 2.5.0 through 2.5.1.

AnalysisAI

Reflected XSS in Spring Web Flow's JavaScript RemotingHandler allows an authenticated attacker to inject and execute arbitrary scripts in a victim's browser by embedding malicious content in input that the server reflects within error response bodies. The RemotingHandler renders these error bodies as HTML regardless of the declared Content-Type, bypassing MIME-type enforcement. Affected versions span the 2.5.x, 3.0.x, and 4.0.0 release lines; no public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV.

Technical ContextAI

Spring Web Flow is a Spring Framework extension for orchestrating multi-step stateful web workflows. Its JavaScript RemotingHandler provides server-side AJAX/remoting support for workflow transitions triggered by browser-side JavaScript. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation - Cross-site Scripting): the handler fails to enforce content-type boundaries when constructing error responses, treating the response body as renderable HTML in the browser even when the HTTP Content-Type header declares a non-HTML media type. If server-generated error details echo back attacker-controlled input (e.g., from form fields, path parameters, or query strings that surface in exception or validation messages), that content is injected into the DOM without sanitization. The CPE cpe:2.3:a:spring:spring_web_flow:*:*:*:*:*:*:*:* covers the Spring Web Flow component published by the Spring (VMware/Broadcom) project.

RemediationAI

The primary remediation is to apply the vendor-released patch documented in the Spring security advisory at https://spring.io/security/cve-2026-40986; the exact fixed version number is not present in available intelligence and must be confirmed directly from that advisory before upgrading. As a compensating control while patching is scheduled, deploy a Content Security Policy (CSP) response header (e.g., default-src 'self'; script-src 'self') to block inline script execution in the browser - note this may require updating application JavaScript to eliminate inline handlers and eval() usage, which carries development overhead. Additionally, configure server-side output encoding for any user-supplied data that may appear in error messages returned by RemotingHandler endpoints; Spring's HtmlUtils.htmlEscape() or equivalent can be applied at the error-generation layer. Restricting authenticated access to RemotingHandler endpoints to the minimum necessary user population reduces the attacker pool consistent with PR:L.

More in Java

View all
CVE-2012-4681 CRITICAL POC
9.8 Aug 28

Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m

CVE-2015-7450 CRITICAL POC
9.8 Jan 02

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti

CVE-2013-2465 CRITICAL POC
9.8 Jun 18

Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent

CVE-2011-3544 CRITICAL POC
9.8 Oct 19

Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug

CVE-2010-1871 HIGH POC
8.8 Aug 05

JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to

CVE-2012-1723 CRITICAL POC
9.8 Jun 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up

CVE-2013-0422 CRITICAL POC
9.8 Jan 10

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using

CVE-2012-0507 CRITICAL POC
9.8 Jun 07

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up

CVE-2015-4852 CRITICAL POC
9.8 Nov 18

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers

CVE-2012-5076 CRITICAL POC
9.8 Oct 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow

CVE-2017-3066 CRITICAL POC
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla

CVE-2012-0391 CRITICAL POC
9.8 Jan 08

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during

Share

EUVD-2026-36201 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy