CVE-2026-41845 HIGH

CVE-2026-41845: Spring Framework Cross-site Scripting via JavaScriptUtils

Vendor Spring

Product Spring Framework

Weakness CWE-79 · XSS

Published June 9, 2026

Last update June 9, 2026

View on NVD All CVEs

CVSS base score

7.1/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality High

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N

What the vulnerability does

Description

Due to incorrect escaping, the use of JavaScriptUtils.javaScriptEscape() may lead to JavaScript code injection in the browser, potentially resulting in a cross-site scripting (XSS) vulnerability. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.

Key dates

Disclosure timeline

June 9, 2026 CVE published

June 9, 2026 Record updated

Identifiers

CVE CVE-2026-41845

CWE CWE-79

CVSS 7.1 / HIGH

Affected versions

Vendor Spring

Product Spring Framework

Affected ≥ 7.0.0 and < 7.0.8

Vendor Spring

Product Spring Framework

Affected ≥ 6.2.0 and < 6.2.19

Vendor Spring

Product Spring Framework

Affected ≥ 6.1.0 and < 6.1.28

Vendor Spring

Product Spring Framework

Affected ≥ 5.3.0 and < 5.3.49