CVE-2026-41003

Published: Jun 10, 2026Modified: Jun 12, 2026

5.4

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.3 / Impact: 2.7

Source: NVD

Description

An attacker able to influence values in RelyingPartyRegistration may be able to run arbitrary code on HTML forms generated by Spring Security filters. Affected versions: Spring Security 5.7.0 through 5.7.23; 5.8.0 through 5.8.25; 6.3.0 through 6.3.16; 6.4.0 through 6.4.16; 6.5.0 through 6.5.10; 7.0.0 through 7.0.5.

Affected (6)

Products: Vmware: Spring Security

Vmware

1 product

Spring Security

Configuration A

6 vulnerable

Vulnerable Software	Affected Versions
Vmware Spring Security	From 5.7.0 to 5.7.24
Vmware Spring Security	From 5.8.0 to 5.8.26
Vmware Spring Security	From 6.3.0 to 6.3.17
Vmware Spring Security	From 6.4.0 to 6.4.17
Vmware Spring Security	From 6.5.0 to 6.5.11
Vmware Spring Security	From 7.0.0 to 7.0.6

Related CWEs

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (1)

https://spring.io/security/cve-2026-41003

Source: security@vmware.com

Vendor Advisory

Timeline

No history available yet.