CVE-2026-41845 - NVD | ByteOS Network

NVD Vulnerability Details :

CVE-2026-41845

Analyzed

More Info Official Page

Source-security@vmware.com

Published At-09 Jun, 2026 | 05:16

Updated At-11 Jun, 2026 | 16:12

Due to incorrect escaping, the use of JavaScriptUtils.javaScriptEscape() may lead to JavaScript code injection in the browser, potentially resulting in a cross-site scripting (XSS) vulnerability. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	3.1	7.1	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
Primary	3.1	6.1	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Type: Secondary

Version: 3.1

Base score: 7.1

Base severity: HIGH

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N

Type: Primary

Version: 3.1

Base score: 6.1

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CPE Matches

VMware (Broadcom Inc.)

>>spring_framework>>Versions from 5.3.0(inclusive) to 5.3.49(exclusive)

cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*

VMware (Broadcom Inc.)

>>spring_framework>>Versions from 6.1.0(inclusive) to 6.1.28(exclusive)

cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*

VMware (Broadcom Inc.)

>>spring_framework>>Versions from 6.2.0(inclusive) to 6.2.19(exclusive)

cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*

VMware (Broadcom Inc.)

>>spring_framework>>Versions from 7.0.0(inclusive) to 7.0.8(exclusive)

cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*

Weaknesses

CWE ID	Type	Source
CWE-79	Secondary	security@vmware.com

CWE ID: CWE-79

Type: Secondary

Source: security@vmware.com

References

Hyperlink	Source	Resource
https://spring.io/security/cve-2026-41845	security@vmware.com	Vendor Advisory

Hyperlink: https://spring.io/security/cve-2026-41845

Source: security@vmware.com

Resource:

Vendor Advisory