Aikido Intel
Secure My Code
Intel

AIKIDO-2026-845613

spring-js-resources is vulnerable to Cross-site Scripting (XSS)

Cross-site Scripting (XSS)CVE-2026-40986 Published Today

50

Medium Risk

This Affects:

javaspring-js-resources
0.0.1 - 2.5.1
Fixed in 2.5.2
3.0.0 - 3.0.1
Fixed in 3.0.1.1
4.0.0 - 4.0.0
Fixed in 4.0.0.1
Are you affected? Scan for Free

TL;DR

Spring Web Flow contains a cross-site scripting vulnerability in its JavaScript RemotingHandler. When processing Ajax error responses, the handler may render response content as HTML even when the response is not of type text/html. If an attacker can cause malicious input to be reflected in an error response, arbitrary JavaScript may be executed in the victim's browser.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and you are using the org.springframework.webflow:spring-js-resources artifact.

Background info

spring-js-resources is vulnerable to Cross-site Scripting (XSS) in versions 0.0.1 - 2.5.1, 3.0.0 - 3.0.1 and 4.0.0 - 4.0.0.

How to fix this

Upgrade the org.springframework.webflow:spring-js-resources library to a patch version.

Links

Are You Affected?

Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.

Scan for Free
Book a Demo

Free. No credit card required.

Aikido Platform
Subscribe
Stay up to date with all updates
LinkedIn YouTube X
© 2026 Aikido Security BV | BE0792914919
Ghent, Belgium | San Francisco, US
SOC 2SOC 2Compliant
ISO 27001ISO 27001Compliant
Get Security Done