MEDIUM | JUNE 10, 2026 | CVE-2026-40986
Description Spring Web Flow's JavaScript RemotingHandler renders the body of an error response as
HTML even when the response is not "text/html", which can result in a scripting attack
in the user's browser if the error response from the server contains error…
HIGH | JUNE 10, 2026 | CVE-2026-40987
Description A malicious or compromised FTP/SFTP/SMB server can write arbitrary files anywhere on the client filesystem (outside the configured local-directory) with attacker-controlled content. Affected Spring Products and Versions Spring Integration: 7.0.…
MEDIUM | JUNE 10, 2026 | CVE-2026-40985
Description Applications that configure the WebFlowELExpressionParser are vulnerable to the use of malicious Unified EL expressions. Pre-conditions: The application explicitly configures the WebFlowELExpressionParser or its base class "ELExpressionParser". The…
HIGH | JUNE 10, 2026 | CVE-2026-40994
Description Wss4jSecurityInterceptor initialized its BSP (WS-I Basic Security Profile) compliance flag so that inbound validation disabled WSS4J BSP enforcement on RequestData, contradicting the intended secure default and published setter contract. Services…
MEDIUM | JUNE 10, 2026 | CVE-2026-40995
Description X509AuthenticationProvider could issue a fully authenticated X509AuthenticationToken when a presented certificate mapped to UserDetails, without applying Spring Security’s standard account lifecycle checks (disabled, locked, expired, or credentials…
MEDIUM | JUNE 10, 2026 | CVE-2026-40997
Description Several Spring WS integration paths with Spring Security could surface detailed account state (for example locked or disabled user semantics) to remote SOAP clients through exception messages or callback outcomes, instead of failing with generic…
HIGH | JUNE 10, 2026 | CVE-2026-40998
Description Jaxp13XPathTemplate evaluated XPath expressions for StreamSource and SAXSource inputs using a code path that parsed attacker-controlled XML with the JDK’s default DocumentBuilderFactory behavior instead of Spring’s hardened parser configuration…
HIGH | JUNE 10, 2026 | CVE-2026-40999
Description When WS-Addressing is used with non-anonymous ReplyTo or FaultTo addresses, Spring WS may initiate outbound connections through configured WebServiceMessageSender instances to destinations taken directly from request headers without verifying that…
LOW | JUNE 10, 2026 | CVE-2026-41000
Description Wss4jSecurityInterceptor did not consistently wire Apache WSS4J ReplayCache instances into RequestData for validation-time checks. As a result, protections against replay of UsernameToken nonces and creation timestamps, Timestamp elements, and…
MEDIUM | JUNE 10, 2026 | CVE-2026-40996
Description Wss4jSecurityInterceptor defaulted allowRSA15KeyTransportAlgorithm to true, overriding Apache WSS4J’s safer default for validation RequestData. Inbound WS-Security decryption could therefore accept RSA PKCS#1 v1.5 (rsa-1_5) encrypted key material…
