Home

Description

An attacker able to influence values in RelyingPartyRegistration may be able to run arbitrary code on HTML forms generated by Spring Security filters. Affected versions: Spring Security 5.7.0 through 5.7.23; 5.8.0 through 5.8.25; 6.3.0 through 6.3.16; 6.4.0 through 6.4.16; 6.5.0 through 6.5.10; 7.0.0 through 7.0.5.

PUBLISHED Reserved 2026-04-16 | Published 2026-06-09 | Updated 2026-06-10 | Assigner vmware




HIGH: 7.6CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

Problem types

CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)

Product status

Default status
unaffected

5.7.0 (custom) before 5.7.24
affected

5.8.0 (custom) before 5.8.26
affected

6.3.0 (custom) before 6.3.17
affected

6.4.0 (custom) before 6.4.17
affected

6.5.0 (custom) before 6.5.11
affected

7.0.0 (custom) before 7.0.6
affected

References

spring.io/security/cve-2026-41003

cve.org (CVE-2026-41003)

nvd.nist.gov (CVE-2026-41003)

Download JSON