VYPR
← All advisories
High severity7.6NVD Advisory· Published Jun 10, 2026

CVE-2026-41003

CVE-2026-41003

Description

Spring Security filters may allow arbitrary code execution on HTML forms due to unencoded HTML outputs.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Spring Security filters may allow arbitrary code execution on HTML forms due to unencoded HTML outputs.

Vulnerability

An attacker able to influence values in RelyingPartyRegistration may be able to run arbitrary code on HTML forms generated by Spring Security filters. This vulnerability affects Spring Security versions 5.7.0 through 5.7.23; 5.8.0 through 5.8.25; 6.3.0 through 6.3.16; 6.4.0 through 6.4.16; 6.5.0 through 6.5.10; and 7.0.0 through 7.0.5 [1].

Exploitation

An attacker needs to influence values within RelyingPartyRegistration to trigger the vulnerability. The exact sequence of steps required to exploit this vulnerability is not yet disclosed in the available references.

Impact

Successful exploitation may allow an attacker to run arbitrary code on HTML forms generated by Spring Security filters. The specific impact on confidentiality, integrity, and availability, as well as the privilege level of the compromise, is not fully detailed in the available references.

Mitigation

Information regarding a fixed version and release date is not yet disclosed in the available references. No workarounds are currently published. The vulnerability is not listed as being actively exploited in the wild [1].

References
  1. CVE-2026-41003: Unencoded HTML Outputs in Spring Security May Allow Cross-Site Scripting

AI Insight generated on Jun 10, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1
  • Spring Projects/Spring Securityllm-create
    Range: 5.7.0 through 5.7.23, 5.8.0 through 5.8.25, 6.3.0 through 6.3.16, 6.4.0 through 6.4.16, 6.5.0 through 6.5.10, 7.0.0 through 7.0.5

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

1

News mentions

1