Home
HIGH: 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:NDefault status
unaffected
7.0.0 (custom) before 7.0.8
affected
6.2.0 (custom) before 6.2.19
affected
6.1.0 (custom) before 6.1.28
affected
5.3.0 (custom) before 5.3.49
affected
Description
Due to incorrect escaping, the use of JavaScriptUtils.javaScriptEscape() may lead to JavaScript code injection in the browser, potentially resulting in a cross-site scripting (XSS) vulnerability. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
Problem types
CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)
Product status
7.0.0 (custom) before 7.0.8
6.2.0 (custom) before 6.2.19
6.1.0 (custom) before 6.1.28
5.3.0 (custom) before 5.3.49
References
spring.io/security/cve-2026-41845