HIGH 7.1

CVE-2026-41845: Spring Framework JavaScriptUtils XSS Vulnerability

Spring Framework contains a flaw in its JavaScriptUtils.javaScriptEscape() function that fails to properly escape certain characters. This weakness allows attackers to inject malicious JavaScript code that executes in users' browsers, potentially stealing session data, credentials, or performing actions on behalf of the user. The vulnerability requires user interaction—specifically clicking a malicious link or visiting a compromised page—but does not require authentication. Multiple versions of Spring Framework across the 5.3, 6.1, 6.2, and 7.0 release lines are affected.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.1 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
Weaknesses (CWE)
CWE-79
Affected products
1 configuration(s)
Published / Modified
2026-06-09 / 2026-06-27

NVD description (verbatim)

Due to incorrect escaping, the use of JavaScriptUtils.javaScriptEscape() may lead to JavaScript code injection in the browser, potentially resulting in a cross-site scripting (XSS) vulnerability. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability stems from incomplete or incorrect character escaping within JavaScriptUtils.javaScriptEscape(), a utility function commonly used to sanitize user input before embedding it in JavaScript contexts. When an application uses this function to prepare untrusted data for inclusion in JavaScript, the inadequate escaping leaves certain characters unfiltered, enabling an attacker to break out of the intended string context and inject arbitrary JavaScript. This is classified as a Stored or Reflected XSS vulnerability (CWE-79) depending on how the escaped output is used. The network-accessible nature of most web applications using Spring Framework and the low attack complexity mean exploitation can be straightforward once a suitable injection point is identified.

Business impact

Organizations relying on Spring Framework for web application development face a significant security exposure. If vulnerable versions are in production, attackers can conduct phishing attacks, harvest credentials, redirect users to malicious sites, or perform unauthorized actions within the application on behalf of compromised users. The reputational damage from a successful XSS campaign—especially one affecting multiple users—can be substantial. Additionally, depending on the sensitivity of data handled by the application, regulatory compliance obligations (PCI-DSS, HIPAA, GDPR) may be triggered if user data is accessed or exfiltrated through XSS exploitation.

Affected systems

Spring Framework versions 5.3.0 through 5.3.48, 6.1.0 through 6.1.27, 6.2.0 through 6.2.18, and 7.0.0 through 7.0.7 are affected. Any application built with Spring that relies on JavaScriptUtils.javaScriptEscape() to sanitize user input for inclusion in JavaScript is at risk. This includes Spring MVC applications, Spring Boot applications using Thymeleaf or other templating engines that may delegate escaping to this utility, and custom applications that directly call the vulnerable function. Applications using alternative escaping mechanisms or that do not embed user input in JavaScript contexts are not affected.

Exploitability

Exploitation requires no authentication or special privileges, and the attack vector is network-accessible. The main barrier is user interaction—a victim must visit a malicious page, click a crafted link, or interact with injected content. Attack complexity is low; once a developer includes user input through the vulnerable escaping function, no additional configuration or race conditions need to align. Given that XSS vulnerabilities are well-understood and exploit tooling is readily available, organizations should assume that threat actors will actively probe for and exploit this flaw if applications remain unpatched.

Remediation

Upgrade to patched versions of Spring Framework as soon as practical. Consult the VMware Spring Framework security advisory to identify the exact patch versions available for each affected release line (5.3, 6.1, 6.2, 7.0). Organizations should prioritize upgrades in environments handling sensitive data or exposed to untrusted user input. As a temporary mitigation, review applications to identify all uses of JavaScriptUtils.javaScriptEscape() and evaluate whether alternative escaping strategies (such as using a dedicated JavaScript templating engine or encoding library that has undergone security review) can reduce reliance on the vulnerable function. However, upgrade is the definitive remediation.

Patch guidance

Contact VMware or consult the official Spring Framework security advisories to obtain the exact patch versions. Patch availability likely varies by release line; for example, 7.0.x, 6.2.x, 6.1.x, and 5.3.x releases will each have their own patched versions. Test patches in a non-production environment first, paying particular attention to any JavaScript generation or escaping logic in your application. Verify that the patched version is in use after deployment by checking the Spring Framework version reported in your application logs or artifact metadata. Consider enabling automated dependency scanning tools to prevent regression.

Detection guidance

Search your codebase for direct calls to JavaScriptUtils.javaScriptEscape() to identify potential injection points. Review any templates or views that embed user input into JavaScript blocks, especially in Spring MVC or Spring Boot applications using JSP, Thymeleaf, or FreeMarker. Monitor application logs for unusual JavaScript patterns in request parameters or form data that might indicate injection attempts. Web Application Firewalls (WAFs) can help by detecting common XSS payloads in query strings or POST bodies, though evasion is possible. Perform regular dependency audits to track Spring Framework versions in use across your infrastructure and flag any instances still running affected versions.

Why prioritize this

This vulnerability merits immediate prioritization because it affects a widely-used framework (Spring), requires no authentication, and enables high-impact attacks (credential theft, session hijacking, malware distribution). While the HIGH CVSS score (7.1) reflects the seriousness, the practical risk is elevated further by the prevalence of Spring in enterprise and cloud-native applications. The short lag between publication and likely weaponization of XSS flaws means organizations should patch within days, not weeks.

Risk score, explained

The CVSS 3.1 score of 7.1 (HIGH) reflects a network-accessible vulnerability with low attack complexity and user interaction required. The vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N) indicates high confidentiality impact (session data, credentials can be accessed), low integrity impact (malicious JavaScript can modify page content but is limited to the victim's session), and no availability impact. The score appropriately captures the serious but not critical nature of the flaw; while XSS is a well-known attack vector, the integrity and confidentiality compromises it enables justify prioritization.

Frequently asked questions

How do I know if my application uses the vulnerable JavaScriptUtils.javaScriptEscape() function?

Search your application source code and dependencies for direct method calls to JavaScriptUtils.javaScriptEscape(). Additionally, check if you are using Spring Framework versions within the affected ranges (5.3.0–5.3.48, 6.1.0–6.1.27, 6.2.0–6.2.18, 7.0.0–7.0.7). If you do not explicitly call this method and do not embed untrusted user input into JavaScript in your templates, your risk may be lower, but upgrading is still recommended to ensure you benefit from the fix and any other security improvements in patched versions.

Can this vulnerability be exploited remotely without any special access?

Yes. The vulnerability is network-accessible and requires no authentication or special privileges. An attacker needs only to craft a malicious link or embed a payload in a web page that a user visits, making it a practical threat in most web-facing environments. However, successful exploitation does require the victim (or their browser) to interact with the malicious content, which is why social engineering or legitimate site compromise can facilitate attacks.

What is the difference between this vulnerability and other Spring Framework XSS issues?

This specific flaw is rooted in the JavaScriptUtils.javaScriptEscape() utility function itself, meaning any code that relies on it for escaping is at risk. Other XSS vulnerabilities may stem from improper use of escaping elsewhere or from template engines not properly escaping by default. The remedy—upgrading to a patched version—is the same, but understanding the root cause helps identify whether your application is affected by other, unrelated XSS flaws.

If I upgrade Spring Framework, will my application break?

Patch releases (e.g., 7.0.7 to 7.0.8) are designed to be drop-in replacements and should not break existing functionality. However, always test patches in a staging environment before deploying to production. Pay special attention to any custom JavaScript generation, template logic, or special characters in your user-facing strings. If you are upgrading across minor or major versions as part of your remediation, review Spring's release notes for breaking changes.

This analysis is provided for informational purposes and reflects publicly disclosed information as of the publication and modification dates. Organizations should verify the availability of patches and affected product versions directly with VMware and the official Spring Framework security advisories. No exploit code or weaponized proof-of-concept is provided. Consult your security team and vendor documentation before applying patches to production systems. This vulnerability intelligence does not constitute legal advice or a guarantee of security; your organization's risk tolerance and security posture should inform your remediation timeline and approach. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).