CVE-2026-41846

Vulnerability

Spring MVC applications using JSP form tags are vulnerable to arbitrary HTML and JavaScript code injection if user-supplied values are accepted in the cssClass, cssErrorClass, or cssStyle attributes. This vulnerability affects Spring Framework versions 7.0.0 through 7.0.7, 6.2.0 through 6.2.18, 6.1.0 through 6.1.27, and 5.3.0 through 5.3.48 [1].

Exploitation

An attacker can exploit this vulnerability by tricking a user into interacting with a crafted web page. If the application uses user-supplied input within the vulnerable attributes of JSP form tags, the attacker can inject malicious HTML or JavaScript code. This requires the attacker to have network access to the vulnerable application and for the user to interact with the application in a way that triggers the vulnerable code path, likely involving user interaction with a form element [1].

Impact

Successful exploitation of this vulnerability can lead to a cross-site scripting (XSS) attack. An attacker can inject arbitrary HTML and JavaScript code, potentially allowing them to steal user session information, perform actions on behalf of the user, or redirect users to malicious websites. The impact is limited to the scope of the user's session and privileges within the application [1].

Mitigation

Users should upgrade to the following fixed versions: Spring Framework 7.0.8, 6.2.19, 6.1.28, and 5.3.49. Versions that are no longer supported are also affected. No further mitigation steps are necessary beyond upgrading [1].