CVE-2026-40986

MEDIUM NVD

CVSS Score 4.8

Severity MEDIUM

Published Jun 11, 2026

Vendor unknown

Description

Spring Web Flow's JavaScript RemotingHandler renders the body of an error response as HTML even when the response is not "text/html", which can result in a scripting attack in the user's browser if the error response from the server contains error details with input reflected from an attacker. Affected versions: Spring Web Flow 4.0.0; 3.0.0 through 3.0.1; 2.5.0 through 2.5.1.

References

https://spring.io/security/cve-2026-40986