Description
Spring Web Flow's JavaScript RemotingHandler renders the body of an error response as HTML even when the response is not "text/html", which can result in a scripting attack in the user's browser if the error response from the server contains error details with input reflected from an attacker.

Affected versions:
Spring Web Flow 4.0.0; 3.0.0 through 3.0.1; 2.5.0 through 2.5.1.
Published: 2026-06-11
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Spring Web Flow's JavaScript RemotingHandler improperly renders the body of error responses as HTML even when the 'Content-Type' is not 'text/html'. Consequently, an attacker can embed script payloads in an error response that contains reflected input, leading to a scripting attack in the victim's browser. The vulnerability is a classic reflected XSS flaw, CWE-79, and can compromise confidentiality, integrity, or availability of the affected web application by allowing attackers to execute arbitrary client‑side code.

Affected Systems

The affected package is Spring Web Flow, versions 4.0.0; 3.0.0 through 3.0.1; and 2.5.0 through 2.5.1. All users running these releases should verify their deployment and consult vendor advisories for patches.

Risk and Exploitability

With a CVSS score of 4.8 the vulnerability is medium‑low severity. EPSS data is not available, and the issue is not listed in CISA’s KEV catalog, suggesting a relatively low probability of exploitation. Nevertheless, if the application surfaces detailed error information that includes user supplied data, the attack path involves a standard web request that triggers an error, thereby making the vulnerability exploitable in a typical web scenario.

Generated by OpenCVE AI on June 11, 2026 at 07:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Spring Web Flow to a patched release that fixes CVE-2026-40986.
  • Disable detailed error messages in production, ensuring that error responses do not contain user‑supplied input or stack traces.
  • Sanitize or HTML‑encode any content that is included in error responses to prevent script execution.

Generated by OpenCVE AI on June 11, 2026 at 07:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://spring.io/security/cve-2026-40986 cve-icon cve-icon
History

Thu, 11 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 11 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Spring
Spring spring Web Flow
Vendors & Products Spring
Spring spring Web Flow

Thu, 11 Jun 2026 06:45:00 +0000

Type Values Removed Values Added
Description Spring Web Flow's JavaScript RemotingHandler renders the body of an error response as HTML even when the response is not "text/html", which can result in a scripting attack in the user's browser if the error response from the server contains error details with input reflected from an attacker. Affected versions: Spring Web Flow 4.0.0; 3.0.0 through 3.0.1; 2.5.0 through 2.5.1.
Title Spring Web Flow JS RemotingHandler renders non-HTML Response as HTML
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N'}

Subscriptions

Spring Spring Web Flow
cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-06-11T12:46:45.896Z

Reserved: 2026-04-16T02:19:09.389Z

Link: CVE-2026-40986

cve-icon Vulnrichment

Updated: 2026-06-11T12:46:42.533Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-11T07:16:26.920

Modified: 2026-06-11T15:21:30.653

Link: CVE-2026-40986

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T10:40:25Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')