Overview
About vulnerability
SVG ImageDescription
An attacker able to influence values in RelyingPartyRegistration may be able to run arbitrary code on HTML forms generated by Spring Security filters.
SVG ImageAffected Spring Products and Versions
Spring Security:
- 5.7.0 - 5.7.23
- 5.8.0 - 5.8.25
- 6.3.0 - 6.3.16
- 6.4.0 - 6.4.16
- 6.5.0 - 6.5.10
- 7.0.0 - 7.0.5
- Older, unsupported versions are also affected.
SVG ImageMitigation
Users of affected versions should upgrade to the corresponding fixed version.
Spring Security:
| Affected version(s) | Fix version | Availability |
|---|---|---|
| 5.7.x | 5.7.24 | Enterprise Support Only |
| 5.8.x | 5.8.26 | Enterprise Support Only |
| 6.3.x | 6.3.17 | Enterprise Support Only |
| 6.4.x | 6.4.17 | Enterprise Support Only |
| 6.5.x | 6.5.11 | OSS |
| 7.0.x | 7.0.6 | OSS |
SVG ImageReferences
SVG ImageHistory
- 2026-06-09: Initial vulnerability report published.
Details
- Affected product:
- Apache CXF , Apache Log4j , Spring
- Affected packages:
- Spring Security @ 5.8.15 (+988 more)
SVG ImageDescription
An attacker able to influence values in RelyingPartyRegistration may be able to run arbitrary code on HTML forms generated by Spring Security filters.
SVG ImageAffected Spring Products and Versions
Spring Security:
- 5.7.0 - 5.7.23
- 5.8.0 - 5.8.25
- 6.3.0 - 6.3.16
- 6.4.0 - 6.4.16
- 6.5.0 - 6.5.10
- 7.0.0 - 7.0.5
- Older, unsupported versions are also affected.
SVG ImageMitigation
Users of affected versions should upgrade to the corresponding fixed version.
Spring Security:
| Affected version(s) | Fix version | Availability |
|---|---|---|
| 5.7.x | 5.7.24 | Enterprise Support Only |
| 5.8.x | 5.8.26 | Enterprise Support Only |
| 6.3.x | 6.3.17 | Enterprise Support Only |
| 6.4.x | 6.4.17 | Enterprise Support Only |
| 6.5.x | 6.5.11 | OSS |
| 7.0.x | 7.0.6 | OSS |
SVG ImageReferences
SVG ImageHistory
- 2026-06-09: Initial vulnerability report published.