Unencoded HTML Outputs in Spring Security May Allow Cross-Site Scripting

7.6 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

Description

An attacker able to influence values in RelyingPartyRegistration may be able to run arbitrary code on HTML forms generated by Spring Security filters.

Affected versions:
Spring Security 5.7.0 through 5.7.23; 5.8.0 through 5.8.25; 6.3.0 through 6.3.16; 6.4.0 through 6.4.16; 6.5.0 through 6.5.10; 7.0.0 through 7.0.5.

Basic Information

ID CVE-2026-41003

Source vmware

Published Jun 9, 2026 at 23:46

Affected Product

Vendor Spring

Product Spring Security

Version 5.7.0

Affected Versions Spring Spring Security 5.7.0
Spring Spring Security 5.8.0
Spring Spring Security 6.3.0
Spring Spring Security 6.4.0
Spring Spring Security 6.5.0
Spring Spring Security 7.0.0

CWE Classification

CWE-79

References

spring.io /security/cve-2026-41003

{
    "lastseen": "",
    "description": "An attacker able to influence values in RelyingPartyRegistration may be able to run arbitrary code on HTML forms generated by Spring Security filters.\n\nAffected versions:\nSpring Security 5.7.0 through 5.7.23; 5.8.0 through 5.8.25; 6.3.0 through 6.3.16; 6.4.0 through 6.4.16; 6.5.0 through 6.5.10; 7.0.0 through 7.0.5.",
    "published": "2026-06-09T23:46:53.683Z",
    "modified": "2026-06-09T23:46:53.683Z",
    "type": "cve",
    "title": "Unencoded HTML Outputs in Spring Security May Allow Cross-Site Scripting",
    "source": "vmware",
    "references": "https://spring.io/security/cve-2026-41003",
    "id": "CVE-2026-41003",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "Spring Spring Security 5.7.0\nSpring Spring Security 5.8.0\nSpring Spring Security 6.3.0\nSpring Spring Security 6.4.0\nSpring Spring Security 6.5.0\nSpring Spring Security 7.0.0",
    "sourceHref": "",
    "cvss": {
        "score": 7.6,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Spring Security",
    "version": "5.7.0",
    "vendor": "Spring",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Unencoded HTML Outputs in Spring Security May Allow Cross-Site Scripting_CVE-2026-41003