CVE-2026-41846
Analyzed Analyzed - Analysis Complete

Cross-Site Scripting in Spring MVC Framework

Publication date: 2026-06-09

Last updated on: 2026-06-27

Assigner: VMware

Description
Spring MVC applications which accept user-supplied values in the cssClass, cssErrorClass, or cssStyle attributes of JSP form tags allow arbitrary HTML/JavaScript code injection, potentially resulting in a cross-site scripting (XSS) vulnerability. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-09
Last Modified
2026-06-27
Generated
2026-06-29
AI Q&A
2026-06-09
EPSS Evaluated
2026-06-28
NVD
CVE-2026-41846
EUVD
EUVD-2026-35334

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
vmware spring_framework From 5.3.0 (inc) to 5.3.49 (exc)
vmware spring_framework From 6.1.0 (inc) to 6.1.28 (exc)
vmware spring_framework From 6.2.0 (inc) to 6.2.19 (exc)
vmware spring_framework From 7.0.0 (inc) to 7.0.8 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-41846 is a cross-site scripting (XSS) vulnerability in the Spring Framework that affects JSP form tags. It occurs when Spring MVC applications accept user-supplied values in the cssClass, cssErrorClass, or cssStyle attributes of JSP <form:*> tags. This allows attackers to inject arbitrary HTML or JavaScript code into the application.

Impact Analysis

This vulnerability can lead to cross-site scripting (XSS) attacks, where an attacker injects malicious HTML or JavaScript code into a web application. This can result in unauthorized actions performed on behalf of users, theft of sensitive information such as cookies or session tokens, and potentially compromise user accounts or the integrity of the application.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade the Spring Framework to the fixed versions.

  • Upgrade to Spring Framework 7.0.8 (OSS) or 7.0.7.1 (Commercial) for 7.0.x versions.
  • Upgrade to Spring Framework 6.2.19 (OSS) or 6.2.18.1 (Commercial) for 6.2.x versions.
  • Upgrade to Spring Framework 6.1.28 (Commercial) for 6.1.x versions.
  • Upgrade to Spring Framework 5.3.49 (Commercial) for 5.3.x versions.

No additional mitigation steps are required beyond upgrading.

Compliance Impact

The provided information does not specify how this cross-site scripting (XSS) vulnerability in the Spring Framework directly affects compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

There is no specific information provided about detection methods or commands to identify this vulnerability on your network or system.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41846. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart