Spring MVC applications that accept user input in the cssClass, cssErrorClass, or cssStyle attributes of JSP form tags allow attackers to inject arbitrary HTML or JavaScript, creating a cross‑site scripting (XSS) vulnerability. An attacker who can influence these attributes can execute code in the victim’s browser, potentially compromising privacy, defacing the site, or hijacking user sessions. The issue stems from insufficient validation and output encoding, as categorized by CWE‑79.

Vendors and products affected are the Spring Framework across multiple releases. The vulnerability impacts Spring Framework versions 5.3.0 to 5.3.48, 6.1.0 to 6.1.27, 6.2.0 to 6.2.18, and 7.0.0 to 7.0.7. Any application built with these versions and employing JSP form tags is at risk.

The CVSS score of 5.9 indicates a moderate severity, and the EPSS score is not available, so the current likelihood of exploitation cannot be quantified from the data. The vulnerability is not listed in the CISA KEV catalog and does not appear to require privileged access. The likely attack vector is an externally supplied web request that includes malicious content in the affected JSP attributes; from there, the application renders that content without proper escaping, leading to XSS. No additional exploitation conditions are mentioned in the description.