CVE-2026-41003 HIGH

CVE-2026-41003: Unencoded HTML Outputs in Spring Security May Allow Cross-Site Scripting

Vendor Spring
Product Spring Security
Weakness CWE-79 · XSS
Published June 9, 2026
Last update June 10, 2026
View on NVD All CVEs

CVSS base score

7.6/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality High
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

What the vulnerability does

01Description

An attacker able to influence values in RelyingPartyRegistration may be able to run arbitrary code on HTML forms generated by Spring Security filters. Affected versions: Spring Security 5.7.0 through 5.7.23; 5.8.0 through 5.8.25; 6.3.0 through 6.3.16; 6.4.0 through 6.4.16; 6.5.0 through 6.5.10; 7.0.0 through 7.0.5.

Key dates

02Disclosure timeline

June 9, 2026 CVE published
June 10, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-2504 Page Builder: Pagelayer – Drag and Drop website builder <= 1.8.4 - Authenticated(Contributor+) Stored Cross-Site Scripting via custom attributes CVE-2024-52991 Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79) CVE-2023-35929 Tuleap Cross-site Scripting vulnerability in the card field of the agile dashboard apps CVE-2024-3886 tagDiv Composer <= 5.0 - Reflected Cross-Site Scripting via envato_code[] CVE-2025-23596 WordPress Notifikácie.sk plugin <= 1.0 - Reflected Cross Site Scripting (XSS) vulnerability