Description
An attacker able to influence values in RelyingPartyRegistration may be able to run arbitrary code on HTML forms generated by Spring Security filters.

Affected versions:
Spring Security 5.7.0 through 5.7.23; 5.8.0 through 5.8.25; 6.3.0 through 6.3.16; 6.4.0 through 6.4.16; 6.5.0 through 6.5.10; 7.0.0 through 7.0.5.
Published: 2026-06-09
Score: 7.6 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Spring Security can output unencoded HTML when values are supplied via RelyingPartyRegistration. An attacker who can influence these values can inject malicious markup that is rendered in the browser, giving the attacker the ability to execute arbitrary client‑side code. The weakness is an instance of insecure client‑side input handling, specifically Cross‑Site Scripting as defined by CWE‑79, and can compromise user data, session integrity, trust, or further network resources.

Affected Systems

Affected systems include the Spring Security library from the Spring Framework vendor, covering releases 5.7.0 through 5.7.23, 5.8.0 through 5.8.25, 6.3.0 through 6.3.16, 6.4.0 through 6.4.16, 6.5.0 through 6.5.10, and 7.0.0 through 7.0.5.

Risk and Exploitability

Risk and exploitability assessment shows a CVSS score of 7.6, indicating high severity. The EPSS score is not available, so the exact exploitation probability is unknown, but the lack of KEV listing suggests it has not yet been widely exploited in the wild. The likely attack vector requires the attacker to have the ability to alter RelyingPartyRegistration values, either through compromised configuration files, APIs, or other misconfigured services. If successful, the attacker can run arbitrary script in the victim’s browser, potentially leading to session hijacking, credential theft, or further internal compromise.

Generated by OpenCVE AI on June 10, 2026 at 01:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Spring Security to a non‑vulnerable release (5.7.24 or newer, 5.8.26 or newer, 6.3.17 or newer, 6.4.17 or newer, 6.5.11 or newer, 7.0.6 or newer).
  • Ensure that any RelyingPartyRegistration values are properly HTML‑encoded before rendering in forms.
  • Validate and sanitize all configuration or user input that populates RelyingPartyRegistration to prevent injection of unencoded markup.

Generated by OpenCVE AI on June 10, 2026 at 01:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://spring.io/security/cve-2026-41003 cve-icon cve-icon
History

Wed, 10 Jun 2026 00:00:00 +0000

Type Values Removed Values Added
Description An attacker able to influence values in RelyingPartyRegistration may be able to run arbitrary code on HTML forms generated by Spring Security filters. Affected versions: Spring Security 5.7.0 through 5.7.23; 5.8.0 through 5.8.25; 6.3.0 through 6.3.16; 6.4.0 through 6.4.16; 6.5.0 through 6.5.10; 7.0.0 through 7.0.5.
Title Unencoded HTML Outputs in Spring Security May Allow Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-06-09T23:46:53.683Z

Reserved: 2026-04-16T02:19:12.970Z

Link: CVE-2026-41003

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T00:16:50.307

Modified: 2026-06-10T00:16:50.307

Link: CVE-2026-41003

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T02:00:13Z

Weaknesses