CVE-2026-41846
Received Received - Intake
Cross-Site Scripting in Spring MVC Framework

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: VMware

Description
Spring MVC applications which accept user-supplied values in the cssClass, cssErrorClass, or cssStyle attributes of JSP form tags allow arbitrary HTML/JavaScript code injection, potentially resulting in a cross-site scripting (XSS) vulnerability. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-09
Last Modified
2026-06-09
Generated
2026-06-09
AI Q&A
2026-06-09
EPSS Evaluated
N/A
NVD
CVE-2026-41846
EUVD
EUVD-2026-35334
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
vmware spring_framework From 7.0.0 (inc) to 7.0.7 (inc)
vmware spring_framework From 6.2.0 (inc) to 6.2.18 (inc)
vmware spring_framework From 6.1.0 (inc) to 6.1.27 (inc)
vmware spring_framework From 5.3.0 (inc) to 5.3.48 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-41846 is a cross-site scripting (XSS) vulnerability in the Spring Framework that affects JSP form tags. It occurs when Spring MVC applications accept user-supplied values in the cssClass, cssErrorClass, or cssStyle attributes of JSP <form:*> tags. This allows attackers to inject arbitrary HTML or JavaScript code into the application.

Impact Analysis

This vulnerability can lead to cross-site scripting (XSS) attacks, where an attacker injects malicious HTML or JavaScript code into a web application. This can result in unauthorized actions performed on behalf of users, theft of sensitive information such as cookies or session tokens, and potentially compromise user accounts or the integrity of the application.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade the Spring Framework to the fixed versions.

  • Upgrade to Spring Framework 7.0.8 (OSS) or 7.0.7.1 (Commercial) for 7.0.x versions.
  • Upgrade to Spring Framework 6.2.19 (OSS) or 6.2.18.1 (Commercial) for 6.2.x versions.
  • Upgrade to Spring Framework 6.1.28 (Commercial) for 6.1.x versions.
  • Upgrade to Spring Framework 5.3.49 (Commercial) for 5.3.x versions.

No additional mitigation steps are required beyond upgrading.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41846. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart