CVE-2026-41846
MediumCVSS 5.9Exploitation Probability (EPSS)
Low risk4th percentile - higher than 4% of all known CVEs
Summary
Spring MVC applications that accept user-supplied values in the cssClass, cssErrorClass, or cssStyle attributes of JSP form tags allow arbitrary HTML/JavaScript code injection, potentially resulting in a cross-site scripting (XSS) vulnerability.
Risk Assessment
An attacker can inject malicious JavaScript code that executes in the victim's browser, leading to session theft, account takeover, or theft of sensitive data.
Recommendation
It is recommended to immediately update Spring Framework to version 7.0.8, 6.2.19, 6.1.28, or 5.3.49, depending on the branch used, and avoid directly passing user input to CSS attributes in JSP form tags.
Original NVD description (English source)
Spring MVC applications which accept user-supplied values in the cssClass, cssErrorClass, or cssStyle attributes of JSP form tags allow arbitrary HTML/JavaScript code injection, potentially resulting in a cross-site scripting (XSS) vulnerability. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.

