VYPR
← All advisories
High severity7.1NVD Advisory· Published Jun 9, 2026

CVE-2026-41845

CVE-2026-41845

Description

Spring Framework is vulnerable to XSS via JavaScriptUtils.javaScriptEscape() due to improper escaping, affecting multiple versions.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Spring Framework is vulnerable to XSS via JavaScriptUtils.javaScriptEscape() due to improper escaping, affecting multiple versions.

Vulnerability

Incorrect escaping in the JavaScriptUtils.javaScriptEscape() method within Spring Framework can lead to JavaScript code injection in the browser. This vulnerability affects Spring Framework versions 7.0.0 through 7.0.7, 6.2.0 through 6.2.18, 6.1.0 through 6.1.27, and 5.3.0 through 5.3.48 [1].

Exploitation

An attacker can exploit this vulnerability by tricking a user into interacting with a crafted web page or link. If the vulnerable javaScriptEscape() function is used to process user-controlled input without proper sanitization, injected JavaScript code can be executed in the context of the user's browser session [1].

Impact

Successful exploitation of this vulnerability can result in a cross-site scripting (XSS) attack. This allows an attacker to execute arbitrary JavaScript code in the victim's browser, potentially leading to session hijacking, data theft, or redirection to malicious websites [1].

Mitigation

Users of affected versions should upgrade to the following fixed versions: 7.0.8, 6.2.19, 6.1.28, or 5.3.49. No further mitigation steps are necessary. Versions that are no longer supported are also affected [1].

References
  1. CVE-2026-41845: Spring Framework Cross-site Scripting via JavaScriptUtils

AI Insight generated on Jun 9, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1
  • Spring Projects/Frameworkllm-fuzzy
    Range: 7.0.0 through 7.0.7, 6.2.0 through 6.2.18, 6.1.0 through 6.1.27, 5.3.0 through 5.3.48

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

1

News mentions

0

No linked articles in our index yet.