MEDIUM 5.9

CVE-2026-41846: Spring Framework JSP Form Tag XSS Vulnerability – Patch Guidance

Spring Framework contains a reflected cross-site scripting (XSS) vulnerability in its JSP form tag library. When developers use Spring MVC form tags and bind user-supplied input to the cssClass, cssErrorClass, or cssStyle attributes without proper sanitization, an attacker can inject malicious HTML and JavaScript code. This code executes in the victim's browser when they view the affected page, potentially allowing credential theft, session hijacking, or other client-side attacks. The vulnerability requires user interaction (such as clicking a malicious link) to trigger.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.9 MEDIUM · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N
Weaknesses (CWE)
CWE-79
Affected products
1 configuration(s)
Published / Modified
2026-06-09 / 2026-06-27

NVD description (verbatim)

Spring MVC applications which accept user-supplied values in the cssClass, cssErrorClass, or cssStyle attributes of JSP form tags allow arbitrary HTML/JavaScript code injection, potentially resulting in a cross-site scripting (XSS) vulnerability. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in Spring Framework's JSP form tag implementation, which fails to properly escape or sanitize user-controlled input before rendering it into HTML style and class attributes. An attacker crafting a URL with embedded JavaScript payloads in parameters mapped to cssClass, cssErrorClass, or cssStyle attributes can bypass client-side security boundaries. The affected versions span multiple release lines: 7.0.0–7.0.7, 6.2.0–6.2.18, 6.1.0–6.1.27, and 5.3.0–5.3.48. The CVSS v3.1 vector (5.9 MEDIUM, AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N) reflects that exploitation requires network access, relatively high attack complexity (crafting the payload), and user interaction, but could result in high confidentiality impact.

Business impact

Organizations using vulnerable Spring Framework versions face risk of customer data exposure through session hijacking or credential theft if attackers compromise user sessions via malicious links. For SaaS and web application providers, this can lead to regulatory compliance violations (GDPR, HIPAA, PCI-DSS depending on data handled), customer trust erosion, and potential incident response costs. Applications that accept user-generated content (e.g., in configuration, theme customization, or reporting features) are at higher risk. However, because exploitation requires user interaction and doesn't grant direct server-side access, the business impact is typically contained to affected sessions rather than wholesale system compromise.

Affected systems

All Spring Framework versions from 5.3.0 through 7.0.7 are affected. This includes long-term support (LTS) releases and current versions. Any web application built on Spring MVC that uses JSP form tags (such as <form:input>, <form:select>, etc.) and binds cssClass, cssErrorClass, or cssStyle attributes from request parameters or user input is vulnerable. Legacy applications on Spring 5.3.x, standard deployments on 6.1.x or 6.2.x, and recent 7.0.x installations all require patching. Applications using Spring Boot with default configurations that leverage Spring MVC JSP rendering are affected.

Exploitability

Exploitation is practical but constrained. An attacker must craft a malicious URL containing JavaScript payloads in parameters that map to vulnerable JSP tag attributes, then socially engineer or trick users into clicking the link. No authentication, credentials, or special privileges are required from the attacker's perspective. The attack complexity is moderate—the attacker must understand the application's URL structure and parameter mapping—but proof-of-concept payloads are relatively straightforward (e.g., injecting event handlers or script tags into style/class attributes). The vulnerability is not listed on CISA's Known Exploited Vulnerabilities catalog, suggesting active weaponization is not yet documented in the wild, but the technique is well-known and easily discoverable.

Remediation

Organizations should immediately upgrade to patched versions: Spring Framework 7.0.8 or later, 6.2.19 or later, 6.1.28 or later, or 5.3.49 or later. Verify the exact patch versions against the official VMware Spring Framework security advisory to ensure compatibility with your deployment. For applications unable to upgrade immediately, implement input validation and output encoding at the application layer: validate and whitelist cssClass and cssErrorClass values to contain only alphanumeric characters and hyphens, and avoid binding user input directly to cssStyle. Consider using Spring Security's built-in CSRF and XSS protections (Content Security Policy headers) as temporary compensating controls.

Patch guidance

Patches are available from VMware for all affected major versions. Check the Spring Framework release notes and security advisories for version 7.0.8+, 6.2.19+, 6.1.28+, and 5.3.49+ depending on your current track. If you use Spring Boot, verify that your Spring Boot version automatically pulls the patched Spring Framework dependency; you may need to update Spring Boot itself. Test patches in a staging environment to confirm compatibility with custom JSP tags or third-party extensions that may interact with form tag rendering. Plan for application redeployment; most deployments can be performed as a rolling update with zero downtime.

Detection guidance

In HTTP request logs, search for suspicious patterns in parameters that feed into cssClass, cssErrorClass, or cssStyle—look for encoded or literal angle brackets (<, >), JavaScript protocol handlers (javascript:), or event handler attributes (onload=, onclick=, etc.). Monitor for 400/403 responses that may indicate a WAF blocking XSS payloads. In application logs, watch for exceptions during JSP rendering if malformed CSS payloads trigger parser errors. Perform a code audit to identify all JSP pages using Spring form tags and binding user input to style-related attributes. Penetration testing against the application should include injection of payloads like <script>alert(1)</script> and event handlers into suspected vulnerable parameters.

Why prioritize this

Although the CVSS score is MEDIUM (5.9), this vulnerability should be prioritized for near-term remediation due to its prevalence across multiple Spring Framework versions, ease of exploitation once a vulnerable parameter is identified, and potential for widespread impact in organizations with large user bases. The lack of KEV status should not delay patching; the attack pattern is well-understood and social engineering is a proven delivery mechanism. Organizations with customer-facing applications or internal portals handling sensitive data should treat this as high priority. Mature security teams should patch within 1-2 weeks; others within 30 days.

Risk score, explained

The CVSS 5.9 MEDIUM score reflects the requirement for user interaction (lowering severity) and moderate attack complexity, but acknowledges high confidentiality impact (session hijacking, credential theft). The score does not account for prevalence—Spring Framework's ubiquity across enterprise Java applications significantly increases real-world risk exposure. The non-KEV status suggests no active, widespread exploitation at time of disclosure, but this should not be mistaken for low risk; reflected XSS vulnerabilities can be weaponized rapidly.

Frequently asked questions

Do I need to patch if I don't use JSP form tags in my Spring application?

No, if your application does not use Spring MVC's JSP form tag library (e.g., you use Thymeleaf, Freemarker, or a REST/JSON API), you are not affected by this CVE. However, if you have any JSP pages using tags like <form:input>, <form:select>, or similar Spring form tags, patching is recommended as a precaution.

Can this vulnerability be exploited without user interaction?

No. The vulnerability requires a user to click a malicious link or visit an attacker-controlled page that triggers the vulnerable JSP. An attacker cannot force exploitation through a network-based attack alone; social engineering or credential-stuffing attacks combined with the XSS payload increase risk but are separate threat vectors.

Will a Web Application Firewall (WAF) protect me while I patch?

A WAF configured with XSS detection rules can block many payloads before they reach the JSP layer, providing temporary protection. However, sophisticated attackers can often obfuscate payloads (e.g., Unicode encoding, case variation) to bypass WAF rules. A WAF is a useful compensating control but is not a substitute for patching.

What should I do if I cannot patch immediately due to testing or compatibility constraints?

Apply strict input validation and encoding: ensure cssClass and cssErrorClass accept only whitelisted values (alphanumerics and hyphens), and avoid binding user input to cssStyle entirely. Implement Content Security Policy (CSP) headers with a restrictive default-src policy to limit inline script execution. Request security review from your internal team or a consultant to verify your compensating controls are effective.

This analysis is based on the vulnerability description and CVE metadata published as of June 2026. No public exploit code or weaponized proof-of-concept has been confirmed. Organizations should verify patch availability and version numbers directly from the official VMware Spring Framework security advisory before applying remediation. This document does not constitute security advice; consult with your security team or a professional services provider for deployment-specific guidance. Patch testing in non-production environments is mandatory. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).