CVE-2026-40986
MediumCVSS 4.8Exploitation Probability (EPSS)
Low risk10th percentile — higher than 10% of all known CVEs
Summary
Spring Web Flow's JavaScript RemotingHandler renders the body of an error response as HTML even when the response is not 'text/html'. This can lead to a scripting attack in the user's browser if the error response from the server contains error details with input reflected from an attacker.
Risk Assessment
The organization may be exposed to scripting attacks that could lead to user data theft or session hijacking. Specifically, if an attacker can inject malicious data, the risk increases.
Recommendation
It is recommended to upgrade to the latest version of Spring Web Flow to minimize the risk associated with this vulnerability. An audit of the application should also be conducted to identify potential attack vectors.
Original NVD description (English source)
Spring Web Flow's JavaScript RemotingHandler renders the body of an error response as HTML even when the response is not "text/html", which can result in a scripting attack in the user's browser if the error response from the server contains error details with input reflected from an attacker. Affected versions: Spring Web Flow 4.0.0; 3.0.0 through 3.0.1; 2.5.0 through 2.5.1.

