PatchSiren cyber security CVE debrief
CVE-2026-40986 Spring CVE debrief
A medium-severity vulnerability, CVE-2026-40986, was found in Spring Web Flow's JavaScript RemotingHandler. The issue causes the body of an error response to be rendered as HTML, even when the response is not 'text/html'. This can result in a scripting attack in the user's browser if the error response from the server contains error details with input reflected from an attacker. The affected versions are Spring Web Flow 4.0.0, 3.0.0 through 3.0.1, and 2.5.0 through 2.5.1.
- Vendor
- Spring
- Product
- Spring Web Flow
- CVSS
- MEDIUM 4.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-11
- Original CVE updated
- 2026-06-11
- Advisory published
- 2026-06-11
- Advisory updated
- 2026-06-11
Who should care
Users of Spring Web Flow 4.0.0, 3.0.0 through 3.0.1, and 2.5.0 through 2.5.1 should be aware of this vulnerability and take necessary actions to mitigate the risk.
Technical summary
The CVSS score for this vulnerability is 4.8, with a severity rating of MEDIUM. The vulnerability is caused by the JavaScript RemotingHandler rendering the body of an error response as HTML, even when the response is not 'text/html'. This can lead to a scripting attack in the user's browser if the error response contains error details with input reflected from an attacker.
Defensive priority
MEDIUM
Recommended defensive actions
- Update to a non-vulnerable version of Spring Web Flow.
- Implement proper input validation and error handling to prevent reflected input in error responses.
Evidence notes
The CVE record and NVD detail can be found at [cve-org] and [nvd], respectively. Additional information is available at [ref-4].
Official resources
-
CVE-2026-40986 CVE record
CVE.org
-
CVE-2026-40986 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-40986 was published on [cvePublishedAt] and modified on [cveModifiedAt].