CVE-2026-41003— Unencoded HTML Outputs in Spring Security May Allow Cross-Site Scripting
Possible ATT&CK Techniques 1AI
T1190 · Exploit Public-Facing ApplicationAffected Version Matrix 6
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Spring | Spring Security | 5.7.0< 5.7.24 | affected |
5.8.0< 5.8.26 | affected | ||
6.3.0< 6.3.17 | affected | ||
6.4.0< 6.4.17 | affected | ||
6.5.0< 6.5.11 | affected | ||
7.0.0< 7.0.6 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-41003
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Unencoded HTML Outputs in Spring Security May Allow Cross-Site Scripting
Source: NVD (National Vulnerability Database)
Vulnerability Description
An attacker able to influence values in RelyingPartyRegistration may be able to run arbitrary code on HTML forms generated by Spring Security filters. Affected versions: Spring Security 5.7.0 through 5.7.23; 5.8.0 through 5.8.25; 6.3.0 through 6.3.16; 6.4.0 through 6.4.16; 6.5.0 through 6.5.10; 7.0.0 through 7.0.5.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Source: NVD (National Vulnerability Database)
Vulnerability Title
VMware Spring Security 跨站脚本漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
VMware Spring Security是美国威睿(VMware)公司的一套为基于Spring的应用程序提供说明性安全保护的安全框架。 VMware Spring Security存在跨站脚本漏洞,该漏洞源于能够影响RelyingPartyRegistration中值的攻击者,可能在Spring Security过滤器生成的HTML表单上运行任意代码。以下版本受到影响:5.7.0至5.7.23版本、5.8.0至5.8.25版本、6.3.0至6.3.16版本、6.4.0至6.4.16版本、6.5.0至6
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Spring | Spring Security | 5.7.0 ~ 5.7.24 | - |
II. Public POCs for CVE-2026-41003
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-41003
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-41003 (1)
Same Patch Batch · Spring · 2026-06-09 · 51 CVEs total
| CVE-2026-41731 | 8.1 HIGH | In Spring for Apache Kafka, overly broad trusted-package matching in header mappers expose |
| CVE-2026-41732 | 8.1 HIGH | In Spring for Apache Pulsar, overly broad trusted-package matching in header mapper expose |
| CVE-2026-41729 | 8.1 HIGH | Spring Data REST SpEL Injection via Map Key in JSON Patch |
| CVE-2026-41855 | 8.1 HIGH | Spring Framework Unsafe Deserialization via Jackson JMS Converters |
| CVE-2026-41717 | 8.1 HIGH | Spring Data MongoDB - SpEL Expression Injection via Annotated Query Parameter Binding |
| CVE-2026-41849 | 7.5 HIGH | Spring Framework Denial of Service via Integer Overflow in SpEL Expressions |
| CVE-2026-41842 | 7.5 HIGH | Spring Framework Denial of Service via Versioned Resources in Spring MVC and WebFlux |
| CVE-2026-41850 | 7.5 HIGH | Spring Framework Algorithmic Denial of Service via SpEL Expressions |
| CVE-2026-41007 | 7.5 HIGH | Spring HATEOAS heap exhaustion through unbounded internal caching |
| CVE-2026-40984 | 7.5 HIGH | Micrometer HTTP server instrumentations DoS vulnerability |
| CVE-2026-41728 | 7.5 HIGH | Spring Data REST JSON Patch bypasses Jackson read-only property protection on nested objec |
| CVE-2026-41695 | 7.5 HIGH | Denial of Service in Spring Data Commons Property Path Resolution |
| CVE-2026-41716 | 7.5 HIGH | Spring Data web support unbounded negative-result cache keyed on attacker-supplied propert |
| CVE-2026-40988 | 7.5 HIGH | Unbounded DEFLATE Inflation in SAML 2.0 Service Provider |
| CVE-2026-40983 | 7.5 HIGH | Micrometer gRPC server instrumentation DoS vulnerability |
| CVE-2026-41006 | 7.5 HIGH | Spring HATEOAS Collection+JSON/UBER deserializers do not honor Jackson configuration |
| CVE-2026-41720 | 7.4 HIGH | Authentication Bypass with Empty Password in Spring LDAP |
| CVE-2026-40993 | 7.3 HIGH | Unfiltered Java Native Deserialization of SAML 2.0 Asserting Party Credentials BLOB Databa |
| CVE-2026-41845 | 7.1 HIGH | Spring Framework Cross-site Scripting via JavaScriptUtils |
| CVE-2026-47838 | 6.8 MEDIUM | Unauthorized User Impersonation when Using X.509 Client Certificates |
Showing top 20 of 51 CVEs. View all on vendor page → →
IV. Related Vulnerabilities
Same product: Spring Security
- CVE-2026-47838
Unauthorized User Impersonation when Using X.509 Client Cert - CVE-2026-41706
Open Redirect When Using CookieRequestCache - CVE-2026-41694
SAML Payloads Decrypted Without Valid Signature - CVE-2026-41008
Spring Security Authorization Server Open Redirect via reque - CVE-2026-40993
Unfiltered Java Native Deserialization of SAML 2.0 Asserting
Same vendor: Spring
- CVE-2026-41862
Spring Statemachine RCE漏洞,影响3.2.x及4.0.x版本 - CVE-2026-47825
Spring Cloud Gateway Server Forwards Headers from Untrusted - CVE-2026-41708
Spring Cloud Sleuth instrumentation of Spring TX DoS vulnera - CVE-2026-47835
Spring AI vector store metadata filtering to handle special - CVE-2026-41856
Spring GraphQL Annotation Detection Vulnerability
Same weakness: CWE-79
- CVE-2026-57656
WordPress Hester Core plugin <= 1.1.8 - Cross Site Scripting - CVE-2026-57651
WordPress Ghost Kit plugin <= 3.6.0 - Cross Site Scripting ( - CVE-2026-57650
WordPress Magazine Blocks plugin <= 1.8.3 - Cross Site Scrip - CVE-2026-57638
WordPress Fluent Booking plugin <= 2.1.0 - Cross Site Script - CVE-2026-57629
WordPress StatCounter plugin <= 2.1.1 - Cross Site Scripting
V. Comments for CVE-2026-41003
No comments yet