PatchSiren cyber security CVE debrief

CVE-2026-41003 Spring CVE debrief

CVE-2026-41003 is a high-severity vulnerability in Spring Security, a popular Java framework for building secure web applications. An attacker able to influence values in RelyingPartyRegistration may be able to run arbitrary code on HTML forms generated by Spring Security filters. This vulnerability affects multiple versions of Spring Security, including 5.7.0 through 5.7.23, 5.8.0 through 5.8.25, 6.3.0 through 6.3.16, 6.4.0 through 6.4.16, 6.5.0 through 6.5.10, and 7.0.0 through 7.0.5.

Vendor: Spring
Product: Spring Security
CVSS: HIGH 7.6
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-06-10
Original CVE updated: 2026-06-12
Advisory published: 2026-06-10
Advisory updated: 2026-06-12

Who should care

Developers and administrators using Spring Security in their applications should be aware of this vulnerability and take immediate action to mitigate it.

Technical summary

The vulnerability has a CVSS score of 7.6 and is classified as HIGH severity. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N. The weakness is classified as CWE-79.

Defensive priority

High

Recommended defensive actions

Upgrade to a patched version of Spring Security: 5.7.24, 5.8.26, 6.3.17, 6.4.17, 6.5.11, or 7.0.6.
Apply the vendor advisory: [ref-4](https://spring.io/security/cve-2026-41003)

Evidence notes

The CVE record [cve-org] and NVD detail [nvd] provide additional information about the vulnerability.

Official resources

CVE-2026-41003 CVE record
CVE.org
CVE-2026-41003 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Vendor Advisory

CVE-2026-41003 was published on 2026-06-10T00:16:50.307Z and modified on 2026-06-12T20:30:33.407Z.