View all Vulnerabilities

CVE-2026-41845

Cross-Site Scripting
Affects
Spring Framework
in
Spring
No items found.
Versions
>=4.3.0 <=4.3.30, >=5.3.0 <=5.3.48, >=6.1.0 <=6.1.27, >=6.2.0 <=6.2.18, >=7.0.0 <=7.0.7
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Spring Framework is the foundational application framework for the Java platform, providing the core inversion-of-control container plus the web, data access, messaging, and integration modules that most Spring applications build on. Its spring-web module ships org.springframework.web.util.JavaScriptUtils, a small utility whose javaScriptEscape method is meant to make a server-side string safe to inline into a JavaScript context, for example the value rendered by the JSP form tag library when javaScriptEscape="true" is set, or any application code that injects server data into an inline script block.

A high-severity vulnerability (CVE-2026-41845) has been identified in JavaScriptUtils.javaScriptEscape. The method escapes the characters that are special inside single- or double-quoted JavaScript string literals (including the quote characters, the backslash, the forward slash, control characters, and the angle-bracket characters that were added to harden against an earlier XSS issue), but it does not escape the backtick or the dollar sign. Both characters are special inside an ECMAScript template literal: the backtick delimits the literal and the dollar-brace syntax interpolates an arbitrary JavaScript expression. When the escaped value is embedded inside a template literal rather than a quoted string, attacker-controlled input containing a backtick or an interpolation sequence can break out of the intended string context and execute arbitrary JavaScript in the victim's browser.

Per OWASP, Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites; they occur when an attacker uses a web application to send malicious code, generally in the form of a browser-side script, to a different end user, and the end user's browser executes the script because it has no way to know the script should not be trusted. Because the script runs in the victim's session, it can read cookies and other session data, perform actions as the victim, and rewrite page content.

The CVSS v3.1 base score for this vulnerability is 8.1 (High) with vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N. The attack vector is Network, complexity is Low, no privileges are required, and user interaction is required because the victim must render the page that embeds the unsafely escaped value. Confidentiality impact is High and Integrity impact is Low, consistent with cross-site scripting where session and data exposure is the primary impact.

This issue affects >=4.3.0 <=4.3.30, >=5.3.0 <=5.3.48, >=6.1.0 <=6.1.27, >=6.2.0 <=6.2.18, and >=7.0.0 <=7.0.7 of Spring Framework. The method long predates these lines, so older releases that are past their open-source end-of-life, including the 4.3.x line, are affected as well.

Details

Module Info

Vulnerability Info

The vulnerability is in JavaScriptUtils.javaScriptEscape(String) in the spring-web module. The method walks the input character by character and appends an escape sequence for each character that is special in a JavaScript string. Before the fix, the escape chain covered quotes, the backslash, the forward slash, the standard control characters, the angle-bracket characters, and the U+2028 and U+2029 line separators, but it had no branch for the backtick or the dollar sign, so both passed through unescaped.

Inside a single- or double-quoted JavaScript string literal that is harmless, which is the context the method was originally designed for. Inside an ECMAScript template literal it is not: the template literal is delimited by backticks, and the dollar-brace syntax interpolates and evaluates a JavaScript expression. If an application uses javaScriptEscape to inline a server-side value into a template literal, for example:

<script>
  const label = `Hello ${userControlledValue}`;
</script>

Then a value that contains an unescaped backtick (breaking out of the template literal) or an interpolation sequence such as ${maliciousExpression} (which is interpolated and evaluated directly) is rendered verbatim. In both cases the attacker's JavaScript executes in the victim's browser within the application's origin, which is the defining behavior of cross-site scripting.

The fix adds two branches to the escape chain so that the backtick is rewritten to its Unicode escape and the dollar sign to its Unicode escape, neutralizing both template-literal delimiters while leaving the rest of the method unchanged:

else if (c == '
') {
    filtered.append("\\u2028");
}
else if (c == '
') {
    filtered.append("\\u2029");
}
else {
    filtered.append(c);
}

The change ships in upstream commit a1826b725c29fbb175fa7b4fc005aa3d78c32015 ("Refine JavaScriptUtils#javaScriptEscape", Closes gh-36795), authored by Sébastien Deleuze and committed by Brian Clozel. It is accompanied by two regression tests that assert the new escapes:

@Test
void escapeBacktick() {
    assertThat(JavaScriptUtils.javaScriptEscape("`")).isEqualTo("\\u0060");
}

@Test
void escapeDollar() {
    assertThat(JavaScriptUtils.javaScriptEscape("$")).isEqualTo("\\u0024");
}

This is the same method that was hardened once before, when angle-bracket escaping was added in response to CVE-2013-6430. The template-literal characters were not in scope then and are addressed by this fix. Because neither the backtick nor the dollar sign was ever escaped on any release line prior to this fix, every Spring Framework release from at least 4.3.0 through the pre-fix tips of the 5.3.x, 6.1.x, 6.2.x, and 7.0.x lines is affected.

Mitigation

Only recent versions of Spring Framework receive community support and updates. Older versions, including the 4.3.x, 5.3.x, and 6.1.x lines, have no publicly available open-source fix for this vulnerability; the patch for those lines is delivered only through commercial builds.

Users of the affected components should apply one of the following mitigations:

  • Upgrade to a currently supported open-source version of Spring Framework that contains the fix. The OSS fix ships in Spring Framework 7.0.8 (7.0.x line) and 6.2.19 (6.2.x line).
  • Leverage a commercial support partner like HeroDevs for post-EOL security support through Never-Ending Support (NES) for Spring Framework, which provides patched 4.3.x, 5.3.x, and 6.1.x builds.
Pink arrow
Pink arrow
CVE-2012-5055
CVE-2014-0097
CVE-2018-1000632
CVE-2019-3795
CVE-2019-11272
CVE-2016-1000027
CVE-2020-10683
CVE-2020-5408
CVE-2021-22112
CVE-2022-22950
CVE-2022-22965
CVE-2022-22968
CVE-2022-22971
CVE-2022-22970
CVE-2022-22978
CVE-2022-22976
CVE-2022-22980
CVE-2022-31692
CVE-2023-20861
CVE-2022-27772
CVE-2023-20863
CVE-2023-20862
CVE-2023-20883
CVE-2023-34036
CVE-2024-22234
CVE-2024-22243
CVE-2024-22259
CVE-2024-22262
CVE-2024-38808
CVE-2024-38807
CVE-2024-38809
CVE-2024-38816
CVE-2024-38820
CVE-2024-38821
CVE-2024-38819
CVE-2024-38828
CVE-2024-38827
CVE-2024-38829
CVE-2023-34040
CVE-2025-22228
CVE-2025-22232
CVE-2025-22234
CVE-2025-22235
CVE-2024-22257
CVE-2025-22233
CVE-2025-41235
CVE-2025-41242
CVE-2025-41243
CVE-2025-41249
CVE-2025-41254
CVE-2025-41253
CVE-2024-56128
CVE-2025-27817
CVE-2024-31141
CVE-2023-25194
CVE-2022-22979
CVE-2026-2817
CVE-2026-2818
CVE-2026-22737
CVE-2026-22735
CVE-2026-22733
CVE-2026-22731
CVE-2026-22732
CVE-2022-31690
CVE-2026-22739
CVE-2024-22236
CVE-2022-31679
CVE-2026-22750
CVE-2026-22740
CVE-2026-22741
CVE-2026-22745
CVE-2026-22746
CVE-2026-22748
CVE-2026-22751
CVE-2026-22752
CVE-2026-40974
CVE-2026-40972
CVE-2026-40973
CVE-2026-40975
CVE-2026-40977
CVE-2023-34050
CVE-2023-34055
CVE-2026-40982
CVE-2026-40981
CVE-2026-41002
CVE-2026-41004
CVE-2026-40990
CVE-2026-40989
CVE-2026-40991
CVE-2026-40985
CVE-2026-40986
CVE-2026-40994
CVE-2026-40995
CVE-2026-40996
CVE-2026-40997
CVE-2026-40998
CVE-2026-41006
CVE-2026-41007
CVE-2026-41696
CVE-2026-41701
What is a HeroDevs Security Advisory?
Vulnerability Details
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
High
ID
CVE-2026-41845
PROJECT Affected
Spring Framework
Versions Affected
>=4.3.0 <=4.3.30, >=5.3.0 <=5.3.48, >=6.1.0 <=6.1.27, >=6.2.0 <=6.2.18, >=7.0.0 <=7.0.7
NES Versions Affected
Published date
June 11, 2026
≈ Fix date
June 10, 2026
Fixed in
NES for Spring
Category
Cross-Site Scripting
Vex Document
Download VEXHow do I use it?
Sign up for the latest vulnerability alerts fixed in
NES for Spring
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.