CVE-2026-41839NVD

Vulnerability Summary

A WebFlux application with a compromised subdomain (for example, compromised via cross-site scripting (XSS)) is vulnerable to an escalation attack exchanging a known session ID for that of an authenticated user.

Affected versions:
Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.

Severity Level

MEDIUM(4.2)

Published Date

Jun 9, 2026

Last Modified

Jun 9, 2026

Exploitation Status

????

EPSS Score (30-Day)

0.03%Probability

Root Weakness (CWE)

CWE-384: Unknown/Unlisted Weakness ↗

Refer to the official MITRE database for detailed architectural specifications regarding this weakness.

CVSS v3.1 Base Metrics

Attack VectorNetwork

Attack ComplexityHigh

Privileges RequiredNone

User InteractionRequired

ScopeUnchanged

ConfidentialityLow

IntegrityLow

AvailabilityNone

External References

https://spring.io/security/cve-2026-41839

Critical Alert

CVE Watchtower

CVE-2026-41839NVD

Vulnerability Summary

External References