PatchSiren cyber security CVE debrief
CVE-2026-41846 Spring CVE debrief
CVE-2026-41846 is a medium-severity vulnerability in Spring Framework that allows for cross-site scripting (XSS) attacks. The vulnerability affects Spring Framework versions 7.0.0 through 7.0.7, 6.2.0 through 6.2.18, 6.1.0 through 6.1.27, and 5.3.0 through 5.3.48. The vulnerability occurs when user-supplied values are accepted in the cssClass, cssErrorClass, or cssStyle attributes of JSP form tags, potentially resulting in arbitrary HTML/JavaScript code injection.
- Vendor
- Spring
- Product
- Spring Framework
- CVSS
- MEDIUM 5.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-09
- Original CVE updated
- 2026-06-11
- Advisory published
- 2026-06-09
- Advisory updated
- 2026-06-11
Who should care
Users of Spring Framework versions 7.0.0 through 7.0.7, 6.2.0 through 6.2.18, 6.1.0 through 6.1.27, and 5.3.0 through 5.3.48 should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability has a CVSS score of 5.9 and a CVSS severity of MEDIUM. The CVSS vector is CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N. The weakness is classified as CWE-79.
Defensive priority
MEDIUM
Recommended defensive actions
- Upgrade to a non-vulnerable version of Spring Framework.
- Implement input validation and sanitization to prevent XSS attacks.
Evidence notes
The vulnerability was published on 2026-06-09T05:16:36.693Z and modified on 2026-06-11T16:10:47.080Z. The CVE record can be found at [cve-org]. The NVD detail can be found at [nvd]. The vendor advisory can be found at [ref-4].
Official resources
-
CVE-2026-41846 CVE record
CVE.org
-
CVE-2026-41846 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
CVE-2026-41846 was published on 2026-06-09T05:16:36.693Z and modified on 2026-06-11T16:10:47.080Z.