CVE-2026-40986

Vulnerability

Spring Web Flow's JavaScript RemotingHandler renders the body of an error response as HTML even when the response's Content-Type is not text/html. This occurs when the application uses the org.springframework.webflow:spring-js-resources artifact and Spring-Dojo.js is loaded for Ajax requests. Affected versions are Spring Web Flow 4.0.0, 3.0.0 through 3.0.1, and 2.5.0 through 2.5.1, as well as older unsupported versions [1].

Exploitation

An attacker must be able to inject input that is reflected in the error response from the server. The attacker then needs to trick a user into making a request that triggers an error containing the attacker's input. The user must be using a browser that loads Spring-Dojo.js and makes Ajax requests via the RemotingHandler. The attacker does not need network access beyond being able to send crafted requests to the application, but user interaction (e.g., clicking a link) is required [1].

Impact

If successful, the attacker can execute arbitrary script in the user's browser within the security context of the application. This can lead to actions such as stealing session cookies, performing actions on behalf of the user, or defacing the page. The CVSS vector indicates a Medium severity with no confidentiality impact but high integrity impact, requiring low privileges and user interaction [1].

Mitigation

Users should upgrade to the fixed versions: 4.0.1 (OSS), 3.0.2 (OSS), or 2.5.2 (Enterprise Support Only). Enterprise-only fixes are also available for 4.0.0.1 and 3.0.1.1. No further mitigation steps are necessary [1].