How is CVE-2026-41845 exploited?

Network reachability (required): The attacker must be able to reach the affected web application over the network; the service must be exposed via HTTP or HTTPS to be exploitable. Authentication (not-required): No account or credential is needed; the attack can be initiated by any anonymous party who can send a request to the application. Victim interaction (required): A user must follow a crafted link or visit a page that triggers the vulnerable JavaScriptUtils.javaScriptEscape() output, making this a reflected social-engineering vector. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special race conditions, memory layout knowledge, or other environmental factors.

What is the impact of CVE-2026-41845?

Reads stored session tokens, cookies, or credentials accessible to the victim's browser origin. Reads page content and data rendered in the victim's current session, including any sensitive fields displayed in the UI. Injects and executes arbitrary JavaScript in the victim's browser, enabling actions on their behalf within the affected application.

Back to search

HIGHCVE-2026-41845Published 2026-06-09Modified 2026-06-09CNA vmware

CVE-2026-41845: Spring Framework Cross-site Scripting via JavaScriptUtils

Due to incorrect escaping, the use of JavaScriptUtils.javaScriptEscape() may lead to JavaScript code injection in the browser, potentially resulting in a cross-site scripting (XSS) vulnerability. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.

CVSS v3.1: 7.1
Severity: HIGH
Fixed in: 5.3.49
Affected Products: 1

HarborGuard Analysis

Synopsis

Cross-site scripting (XSS) in Spring Framework is caused by incorrect character escaping inside JavaScriptUtils.javaScriptEscape(). The vulnerability is reachable over the network without any authentication, but requires a victim to interact with a crafted link or page before the malicious script executes in their browser. Successful exploitation lets an attacker read sensitive data from the victim's browser session and perform limited content modification in the context of the affected origin. Patched-image rebuilds at versions 5.3.49, 6.1.28, 6.2.19, and 7.0.8 are available on HarborGuard for environments running affected versions.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Spring Framework directly. Any image containing an affected Spring Framework version is flagged automatically, whether it lives in a registry or passes through a build pipeline.

Available

Triage

HarborGuard scores this CVE at 7.1 HIGH using the CVSS v3.1 vector and can weight that score further against each customer environment's compliance policy, for example elevating urgency for internet-facing services. Triage findings are routed to the team or inbox configured in each customer org's notification settings.

Available

Patch

A patched-image rebuild against the appropriate fix version (5.3.49, 6.1.28, 6.2.19, or 7.0.8, matching the branch already in use) becomes available on HarborGuard as soon as the upstream release is confirmed. For customers who opt into auto-remediation, HarborGuard triggers the rebuild, runs a regression test suite against the new image, and opens a pull request against each affected workload automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must be able to reach the affected web application over the network; the service must be exposed via HTTP or HTTPS to be exploitable.
AuthenticationNot required
No account or credential is needed; the attack can be initiated by any anonymous party who can send a request to the application.
Victim interactionRequired
A user must follow a crafted link or visit a page that triggers the vulnerable JavaScriptUtils.javaScriptEscape() output, making this a reflected social-engineering vector.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special race conditions, memory layout knowledge, or other environmental factors.

Blast Radius

Reads stored session tokens, cookies, or credentials accessible to the victim's browser origin.
Reads page content and data rendered in the victim's current session, including any sensitive fields displayed in the UI.
Injects and executes arbitrary JavaScript in the victim's browser, enabling actions on their behalf within the affected application.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-41845 fires within minutes of CVE publication for any image containing an affected Spring Framework version across all registered registries and CI pipelines. For customers who opt into auto-remediation, HarborGuard rebuilds the image against the correct fix branch (5.3.49, 6.1.28, 6.2.19, or 7.0.8), runs a regression pass on the rebuilt image, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy requires manual approval, the rebuilt image and a triage report are staged and routed to the designated team inbox for review. Customers on multiple Spring Framework branches will receive a separate rebuild and PR per branch.

See how HarborGuard automates this

Fix available

5.3.496.1.286.2.197.0.8

Affected packages

Spring / Spring Framework
< 7.0.8 (from 7.0.0) · < 6.2.19 (from 6.2.0) · < 6.1.28 (from 6.1.0) · < 5.3.49 (from 5.3.0)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N

References

spring.io

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available