CVE-2026-40986

Summary

Spring Web Flow's JavaScript RemotingHandler renders the body of an error response as HTML even when the response is not "text/html", which can result in a scripting attack in the user's browser if the error response from the server contains error details with input reflected from an attacker.

Affected versions: Spring Web Flow 4.0.0; 3.0.0 through 3.0.1; 2.5.0 through 2.5.1.

Affected Software

VendorProductVersion RangeStatus
SpringSpring Web Flow4.0.0 < 4.0.0.1affected
SpringSpring Web Flow3.0.0 < 3.0.1.1affected
SpringSpring Web Flow2.5.0 < 2.5.2affected

Weaknesses

  • CWE-79: CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References