Spring Security can output unencoded HTML when values are supplied via RelyingPartyRegistration. An attacker who can influence these values can inject malicious markup that is rendered in the browser, giving the attacker the ability to execute arbitrary client‑side code. The weakness is an instance of insecure client‑side input handling, specifically Cross‑Site Scripting as defined by CWE‑79, and can compromise user data, session integrity, trust, or further network resources.

Affected systems include the Spring Security library from the Spring Framework vendor, covering releases 5.7.0 through 5.7.23, 5.8.0 through 5.8.25, 6.3.0 through 6.3.16, 6.4.0 through 6.4.16, 6.5.0 through 6.5.10, and 7.0.0 through 7.0.5.

Risk and exploitability assessment shows a CVSS score of 7.6, indicating high severity. The EPSS score is not available, so the exact exploitation probability is unknown, but the lack of KEV listing suggests it has not yet been widely exploited in the wild. The likely attack vector requires the attacker to have the ability to alter RelyingPartyRegistration values, either through compromised configuration files, APIs, or other misconfigured services. If successful, the attacker can run arbitrary script in the victim’s browser, potentially leading to session hijacking, credential theft, or further internal compromise.