CVE Catalog

CVE-2026-41839

MediumCVSS 4.2
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.20%

10th percentile - higher than 10% of all known CVEs

Summary

A WebFlux application with a compromised subdomain (e.g., via XSS) allows an attacker to exchange a known session ID for that of an authenticated user, leading to privilege escalation.

Risk Assessment

An attacker can hijack an authenticated user's session, gaining unauthorized access to protected resources and data within the application.

Recommendation

Immediately upgrade Spring Framework to version 7.0.8, 6.2.19, 6.1.28, or 5.3.49, depending on the branch in use.

Original NVD description (English source)

A WebFlux application with a compromised subdomain (for example, compromised via cross-site scripting (XSS)) is vulnerable to an escalation attack exchanging a known session ID for that of an authenticated user. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS