CVE Catalog

CVE-2026-41839

MediumCVSS 4.2
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.20%

9th percentile - higher than 9% of all known CVEs

Summary

A WebFlux application with a compromised subdomain is vulnerable to an escalation attack that allows exchanging a known session ID for that of an authenticated user.

Risk Assessment

An attacker could gain access to an authenticated user's session, potentially leading to account takeover and data breaches.

Recommendation

It is recommended to monitor subdomains and implement protections against XSS attacks to minimize escalation risks.

Original NVD description (English source)

A WebFlux application with a compromised subdomain (for example, compromised via cross-site scripting (XSS)) is vulnerable to an escalation attack exchanging a known session ID for that of an authenticated user. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS